From e25fd173ea945b86e2a0ebfd55d1bb29b89541e5 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Fri, 17 Jan 2025 10:22:20 +0100
Subject: [PATCH] Expand the security considerations section

---
 proposals/2964-oauth2-profile.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/proposals/2964-oauth2-profile.md b/proposals/2964-oauth2-profile.md
index cc33f10e01c..c52c50aafee 100644
--- a/proposals/2964-oauth2-profile.md
+++ b/proposals/2964-oauth2-profile.md
@@ -241,6 +241,12 @@ For a discussion on alternatives please see [MSC3861]
 Since this touches one of the most sensitive part of the API, there are a lot of security considerations to have.
 
 The [OAuth 2.0 Security Best Practice](https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16) IETF draft has many attack scenarios. Many of those scenarios are mitigated by the choices enforced in the client profiles outlined in this MSC.
+It explains the following decisions on this profile:
+
+ - Using strict redirect URIs validation helps mitigate the risk of open redirection attacks.
+ - Using the `code` response mode, alongside PKCE mitigates the risk in cases of redirection hijacking.
+ - Usage of short-lived access tokens, along with rotation of refresh tokens mitigates the impact of leaked tokens.
+ - Using the system browser to authenticate users lowers the risk of credentials exfiltration by the client.
 
 ## Unstable prefix