You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -241,6 +241,12 @@ For a discussion on alternatives please see [MSC3861]
Since this touches one of the most sensitive part of the API, there are a lot of security considerations to have.
The [OAuth 2.0 Security Best Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16) IETF draft has many attack scenarios. Many of those scenarios are mitigated by the choices enforced in the client profiles outlined in this MSC.
It explains the following decisions on this profile:
- Using strict redirect URIs validation helps mitigate the risk of open redirection attacks.
- Using the `code` response mode, alongside PKCE mitigates the risk in cases of redirection hijacking.
- Usage of short-lived access tokens, along with rotation of refresh tokens mitigates the impact of leaked tokens.
- Using the system browser to authenticate users lowers the risk of credentials exfiltration by the client.
