search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Repeated authorization requests #140

Open aaronpk opened 1 year ago

aaronpk commented 1 year ago

From RFC6749 Security Considerations

The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator.

(Vittorio) This is unclear. As it currently reads it seems to prohibit things like getting a new authz code silently via iframe (and prompt=none or equivalent UX suppressing mechanism, please ignore the ITP complications for the sake of argument).

tlodderstedt commented 1 year ago

I would say, the current practice is ok as long as there are alternative counter measures in place, e.g. if the AS is sure the code is only released to the legit owner of the client id because it controls the redirect URI.

aaronpk commented 1 year ago

In OAuth 2.0, registration of the redirect URI was not required, which is why this paragraph is in here.

Now that registration is required in OAuth 2.1, the concern of being redirected to arbitrary redirect URIs silently without user interaction is much less.