Open randomstuff opened 2 days ago
Example of Keycloak not checking user consent for UMA grants: https://github.com/keycloak/keycloak/issues/30779#issuecomment-2192706558 :wink:
With 3.2.5 I addressed (https://github.com/OWASP/ASVS/issues/1815) (in my opinion) this problem - that you can not create a session for the user without user interaction / consent.
At the moment I can not see the need to create a new and separate requirement. Or this there specific aspect that is not covered? The text for current 3.2.5 can be improved for sure.
With 3.2.5 I addressed (https://github.com/OWASP/ASVS/issues/1815) (in my opinion) this problem - that you can not create a session for the user without user interaction / consent.
The 3.2.5 talks about session and is discussed in the context of session management. This actually applies to OAuth (authorization) flows as well which are not really sessions.
At the moment 3.2.5 just got in with the first wording that came to mind and to the first place that seems suitable.
If we will create new requirement for authorization or for OAuth, it must be some clear and specific reason to do that. My first option could be cover new needs into current 3.2.5, make it more abstract or wider, and maybe cover it in business logic flows.
We can make 3.2.5 more towards asking consent, as for CSRF we have a separate requirement to cover that.
A note on terminology: OAuth is not really an authorization framework, even though the documentation says it is. This implies traditional access control, which is not OAuth’s job.
OAuth is about access delegation - granting a third-party application or service limited access to resources without sharing credentials.
This distinction is important. Many have noted that it's confusing to call OAuth an authorization framework, and I agree. It can mislead developers. Calling it an access delegation framework—a distinct subset of authorization—is much clearer, and I believe the ASVS documentation should clarify this.
We can make 3.2.5 more towards asking consent, as for CSRF we have a separate requirement to cover that.
Sounds like a good approach to address consent, if it is clear that this also applies to OAuth scenarios (access delegation)
The 3.2.5 talks about session and is discussed in the context of session management. This actually applies to OAuth (authorization) flows as well which are not really sessions.
As a side note, in #2044 it is suggested to have a requirement like "Verify that user consent by default requested a minimal set of scopes.". I think it should be part of this discussion.
In OAuth / OpenID Connect, checking of the user's consent (before issuing the tokens to the client application and before exposing the users information to a client application) is an important topic. Authorization server often have features which make it possible to remember which authorization the user has already consented to and may skip the user consent verification in some cases.
Some excerpts of the Oauth 2.1 draft:
There is currently no wording about the consent verification (and especially under which conditions the authorization may skip the verification of the user's consent) outside of a generic things in V3:
Threat: if consent verification can be skipped some may (usually on the ground that the user consent has already been given in a previous grant), this could be exploited by an attacker in order to have the authorization server issue access tokens without the user's consent.
Should some verification/wording about user consent verification be included somewhere in the OAuth chapter?