Comments (7)
My reason to open the issue - OAuth was not built for authentication, but if it used only for that purpose, is it acceptable soluton or over-engineering opens too many security holes.
https://auth0.com/intro-to-iam/what-is-oauth-2
OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.
@csfreak92 - I agree, based on my current knowledge, actionable requirement is not a likely outcome at the moment.
I changed the issue title and removed the "proposal" part from this, at the moment the goal is to have a discussion and collect arguments, is it worth having a requirement, recommendation, or mention in chapter texts, or all concerns are covered somehow with other requirements?
@randomstuff - yes, it was bad wording from my side. Including the issue title (modified this one as well).
I have seen too many times, that "authentication decision" or user data is read from an JWT format access token. Access token is not meant for that. Often only every token from the same authorization server is valid - and if it provides tokens to different applications (which is usually the case because this is the entire point of that), every valid token from the same authorization server is enough to authenticate to the application.
So, my goal here is to collect feedback and arguments, is this something that requires further attention or not.
from asvs.
from asvs.
For example you can log into google via OIDC and also provide OAuth2 access to some of your google resources to the given server.
Or the old service Mint may use you your bank as a login provider and also delegate limited access to your bank transactions to Mint's server.
And in generate OIDC serves as authentication while OAuth2 tokens can be limited in scope and provide limited access to resources.
from asvs.
I am not sure what could be our actionable recommendation for this issue though. Maybe as a guide, let's write down the concern from this statement:
security problem to open up a new set of attack vectors.
Got any ideas @jsherm-fwdsec and @TobiasAhnoff?
from asvs.
directly OIDC should be used without OAuth overhead
I'm not sure I understand what you mean by that. OIDC is a layer on top of OAuth so …
from asvs.
There is absolutely a use-case to do a flow that includes both an OIDC claim (identity) and an OAuth2 claim (delegation) at the same time.
Got any solid examples @jmanico? I think that would solidify the argument if we have some great examples in case there were doubts from the community. :)
from asvs.
Related Issues (20)
- Minor V7 changes HOT 2
- Italian Translation HOT 1
- V11 rework by @jmanico HOT 16
- update 50.2.1 (v4.0.3-14.4.3) and/or split requirement for content-security-policy HOT 13
- move or merge 8.3.5 to V7 HOT 3
- URL Safety HOT 23
- proposal/discussion: OAuth - disallow web application to be OAuth public client (and to have direct communication with OAuth token endpoint) HOT 4
- proposal/discussion: OAuth - (for 1st party usage) only used (by the client) communication options must be allowed by authorization server HOT 4
- proposal/discussion: OAuth - separate requirement for redirect_uri string-match registration and handling HOT 8
- proposal/discussion: JWT - 3.5.6 add "type", and rephrase it to describe the goal HOT 8
- proposal/discussion: OAuth: requirement for refresh_token lifetime
- V51: Additional OAuth/OIDC proposals HOT 6
- discussion OAuth/OIDC: accepted flows and grants HOT 7
- 4.3.1 and 4.3.3 HOT 7
- Password Storage Algorithms 2.4.1 revisited HOT 3
- Make 2.1.14 easier and more simplified HOT 7
- Implement Requirement for Anomalous Behavior Detection HOT 4
- cloud config scanning HOT 1
- Link checker is temperamental and apparently deprecated HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from asvs.