Confirm we are following OAuth current best (security) practices

nuts-foundation / nuts-node

The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.

https://nuts-foundation.gitbook.io

GNU General Public License v3.0

24 stars 15 forks source link

Confirm we are following OAuth current best (security) practices #3020

Open gerardsn opened 6 months ago

gerardsn commented 6 months ago

Most up to date security practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25 OAuth 2.1: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/10/ This contains changes that could be breaking with 2.0 due to differences in the spec and most implementations, but these are clearly listed. Other than that it is a good summary of the best practices.

reinkrul commented 5 months ago

Good practice i.m.o. is limiting the amount of bytes read to an in-memory buffer (or in general) when processing HTTP responses from outside sources (e.g. access token/authorize response).

Golang/x/oauth2 does this quite cleanly with a LimitReader: https://github.com/golang/oauth2/blob/84cb9f7f5c5a639955cd501bfdd54f0e63997e61/jwt/jwt.go#L139

See: https://github.com/nuts-foundation/nuts-node/pull/3076

woutslakhorst commented 2 weeks ago

Scanned the best-practises. Still relevant for OpenID4VP and the authorization code flow. Not for 6.0 though.