Closed garethsb closed 3 years ago
garethsb
commented
3 years ago Actually, looks like I assigned blame for the link to the draft IETF "OAuth 2.0 for Browser-Based Apps" document to the wrong repo. It's actually linked from IS-10 Section 4.2 in:
Browser-based applications SHOULD abide by the guidelines set out in OAuth 2.0 for Browser-Based Apps).
(And also from the list of relevant RFCs in the Overview.)
garethsb
commented
3 years ago @simonlo-sony points out that https://datatracker.ietf.org/doc/draft-ietf-oauth-mix-up-mitigation/ is an expired, inactive, draft. We probably didn't ought to refer to that? Has it been incorporated into one of the other RFCs?
garethsb
commented
3 years ago The other one is active, though the current -07 revision expires in about one month's time, so that's a good reason to continue to link to the datatracker URL rather than the specific revision. 👍
peterbrightwell
commented
3 years ago garethsb
commented
3 years ago 👏
IS-10 RAML says:
However, the reference id 'MIX-UP' is not defined in the RAML or elsewhere in the spec. As far as I can see it's a direct quote from https://tools.ietf.org/html/rfc8414#section-2 where MIX-UP refers to https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-01.
The Authorization Implementation Guide refers to https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07, which in section 9.5 says:
However, I don't see anything in IS-10, BCP-003-02 or the IG about using a unique
redirect_uriper auth server? Should that be required explicitly?Or are we assuming all auth servers on the network share a common record of registered clients, and does that, or something else, mitigate this?