Confirm we are following OAuth current best (security) practices #3020

gerardsn · 2024-04-05T09:15:02Z

Most up to date security practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25
OAuth 2.1: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/10/ This contains changes that could be breaking with 2.0 due to differences in the spec and most implementations, but these are clearly listed. Other than that it is a good summary of the best practices.

reinkrul · 2024-04-30T14:39:31Z

Good practice i.m.o. is limiting the amount of bytes read to an in-memory buffer (or in general) when processing HTTP responses from outside sources (e.g. access token/authorize response).

Golang/x/oauth2 does this quite cleanly with a LimitReader: https://github.com/golang/oauth2/blob/84cb9f7f5c5a639955cd501bfdd54f0e63997e61/jwt/jwt.go#L139

See: #3076

woutslakhorst · 2024-09-23T08:10:07Z

Scanned the best-practises. Still relevant for OpenID4VP and the authorization code flow. Not for 6.0 though.

gerardsn added this to the V6 milestone Apr 5, 2024

woutslakhorst added the rc issues for release candidate label Jun 5, 2024

woutslakhorst added final and removed rc issues for release candidate labels Sep 12, 2024

woutslakhorst removed the final label Sep 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Confirm we are following OAuth current best (security) practices #3020

Confirm we are following OAuth current best (security) practices #3020

gerardsn commented Apr 5, 2024

reinkrul commented Apr 30, 2024 •

edited

Loading

woutslakhorst commented Sep 23, 2024

Confirm we are following OAuth current best (security) practices #3020

Confirm we are following OAuth current best (security) practices #3020

Comments

gerardsn commented Apr 5, 2024

reinkrul commented Apr 30, 2024 • edited Loading

woutslakhorst commented Sep 23, 2024

reinkrul commented Apr 30, 2024 •

edited

Loading