search

aaronpk / oauth-first-party-apps

https://datatracker.ietf.org/doc/html/draft-parecki-oauth-first-party-apps
Other
11 stars 8 forks source link

Prohibit moving sessions across devices #56

Closed PieterKas closed 7 months ago

PieterKas commented 9 months ago

Should we prohibit the auth_session from moving off-device to avoid resumption of the session on another device (avoid risks of session theft or session take-over).

aaronpk commented 8 months ago

auth_session is expected to be device bound

PieterKas commented 8 months ago

Discussion

  1. Add statement that authorization sessions are device bounds.
  2. Make it Normative in spec.
aaronpk commented 7 months ago

Resolved in #57