-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
51.2.2 - what is the purpose for the requirement? #2092
Comments
In the way I understood it, No, Although, I believe you are correct that the way |
Ack, the focus is "transaction-specific". Additionally, @randomstuff asked a question in #2041 (comment)
I think we need to reword it what problem the requirement solves and avoid duplication with other requirements. |
@randomstuff @TobiasAhnoff - any ideas how to solve this? |
Yes, I agree. They are redundant. |
I think, this should probably be somewhere and I don't believe it's currently really states but it is really more general than OAuth and should probably be somewhere else as well. This is related to:
"sufficient entropy" is somewhat left to interpretation. OAuth requires at least 128 bits and recommends 160 bits of entropy for tokens:
Note that the the wording in the the OAuth 2.1 draft is more general than the requirement in 6.3.3 as it applies to random/opaque tokens and for signature/MAC tokens. So the questions are:
|
I think the randomness is well covered in V6 (and if it is not, for general requirements it should be covered there)
I think the main focus should be "transaction-specific" to mitigate replay attacks. |
A thing to note is that this is part of the "OAuth Authorization Server", not the "OIDC OpenID Provider" section, so OIDC details should be avoided in the requirement, split, moved to OIDC or should we mix OAuth and OIDC in this case? For OAuth we could have
For OIDC,, given that it is clear that all OAuth requirements also applies to OIDC it could be:
or if we mix, like suggested above
I think none of them is perfect, but I think it is good to keep OIDC details separate to make it clear that OAuth can be used without OIDC and ID Tokens. |
I think my initial comment applies to the last proposal as well. I would not like to mix and duplicate ID token replay (51.3.2 (it is in incorrect section)) and OAuth client CSRF (51.3.5), additionally general PKCE requirement. Probably 2 directions from here:
In a way, if we have requirements like "Verify that, if the code flow is used, the OAuth Client has protection against CSRF attacks", then if the cause of not having the defense is the missing transaction-specific token, it is still the same requirement and the same problem, it is just finding the technical detail in it. |
Current requirement 51.2.2:
I'm quite confused, what is to goal for the requirement.
It starts with a claim to prevent authorization code replay into the authorization response - authorization code in authorization response is handled by the client and this is basically CSRF vector to prevent, it is covered now in 51.3.5:
Further, it requires validating the nonce in ID token, but this is to mitigate ID token replay attack to (OIDC) the client, but for that we have also a separate requirement (at the moment it is in wrong section, but this is another topic to discuss):
For me the requirement 51.2.2 seems to mix different things. Or did I miss the actual point for the requirement?
The text was updated successfully, but these errors were encountered: