-
-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth, Add Requirement about protection against modification of the RAR authorization_details parameter #2151
Comments
In case we have a general requirement to cover that, we don't need to duplicate it into V51. At the moment I don't have match to provide from existing requirement for this. Corret me if I'm wrong, but the requirement feels quite a niche and edge case. If rar is used... But when watching the RFC9396, it seems like another "approved by RFC" way to leak sensitive information (the content of authorization_details) via URL parameters. |
@randomstuff - is this again "if public client && rar then jar"? If yes, I really would like to make a requirement "do not use public client" for L2, L3 (#1963). |
@elarlang, The goal here is to protect against modification from the user. I don't believe it makes much sense to protect the authorization request from the user when we have a public client. For public client, the client is expected to be some application running on the user device so we can't really prevent the user from messing it up or forging it. So my proposition should probably be completed as:
|
Without "server-side", is this close to the meaning?
|
My intent was to talk about backend-side clients i.e. clients which do not execute on the user device but on a backend server:
These two categories are somewhat related with the OAuth concept of public vs confidential clients but clients which executes on the user device can be confidential (with dynamic client registration). So something like:
|
The requirement should be positive - what must be achieved. (That is why my proposal in #2151 (comment) was worded differently) Previously "This can be achieved with PAR or JAR/JWS.", in the last one "This can for example be achieved using PAR.". |
Note that we currently have from #1964:
which is similarly worded? |
Actually this topic is quite similar to #1964 and we could use the same wording and mitigation for both. |
Using the same wording as for #1964:
I'll sync the wording with whatever comes out from #1964 (if applicable). |
I think this is in sync with #1964 but a little hard to read, perhaps this is more clear?
|
We updated the other requirement (I think), we should come up with positive-wording requirement here as well. |
I am coming up with:
but this can certainly be improved. |
Some moving around and changes:
Question as well: "user device" > "end-user device", "user-controlled device"? |
Yes maybe, "end-user device". |
Goes in via #2383:
|
Should be add a requirement about the risk of manipulation of the RAR authorization_details parameter?
See the security considerations from the RAR specification (emphasis mine):
i.e. when this is a concern, JAR or PAR can be used.
Straw man wording:
Argument against: This type of requirement can be generalized to other requests (outside of OAuth) which is one reason for not including this requirement in the OAuth chapter. A more general requirement could be used instead in V5. Are the requirements already in V5 enough?
Context: #2036
The text was updated successfully, but these errors were encountered: