search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Incorporated mix-up attack mitigations from security BCP #150

Closed kmzs closed 10 months ago

kmzs commented 1 year ago

Most of the text is copied from the security BCP and only slightly adjusted.

I am not sure if 2.1 needs to contain the detailed description of mix-up attacks and variants (56b6b6cdcfccf30baa124d37597d18a7cecf032e) or if it would be sufficient to add mix-up mitigations (2d07d10b9787d3798fab0913ff67ea1cd2e29d89).

aaronpk commented 1 year ago

Thank you, in general we have been erring on the side of leaving the detailed discussion of the security considerations in the Security BCP, and only moving the mitigation recommendations in 2.1. Would you be able to remove the detailed description from this PR?

kmzs commented 1 year ago

Finally had the time for this quick revert of my latest commit.

Do you think the description of mix-up is fine now? Should we add a reference to the detailed description of mix-up attacks in the security BCP?

aaronpk commented 10 months ago

Thanks, I added a reference to the security BCP in that section