Open gerardsn opened 6 months ago
Good practice i.m.o. is limiting the amount of bytes read to an in-memory buffer (or in general) when processing HTTP responses from outside sources (e.g. access token/authorize response).
Golang/x/oauth2 does this quite cleanly with a LimitReader
: https://github.com/golang/oauth2/blob/84cb9f7f5c5a639955cd501bfdd54f0e63997e61/jwt/jwt.go#L139
Scanned the best-practises. Still relevant for OpenID4VP and the authorization code flow. Not for 6.0 though.
Most up to date security practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25 OAuth 2.1: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/10/ This contains changes that could be breaking with 2.0 due to differences in the spec and most implementations, but these are clearly listed. Other than that it is a good summary of the best practices.