Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs

https://oauth.net/2.1/

Other

51 stars 28 forks source link

Strengthen "Authorization server SHOULD NOT process repeated authorization requests automatically" for public clients #160

Open hickford opened 1 year ago

hickford commented 1 year ago

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-client-impersonation

The authorization server SHOULD NOT process repeated authorization requests automatically (without active resource owner interaction) without authenticating the client or relying on other measures to ensure that the repeated request comes from the original client and not an impersonator.

How about strengthening this for public clients to MUST NOT?

hickford commented 1 year ago

Mailing list discussion https://mailarchive.ietf.org/arch/msg/oauth/P3snfqtO2Seb8iAYX8rRRu-16Aw/

Does anyone know why this is only SHOULD NOT? For public clients, how about strengthening it to MUST NOT? How else can the authorization server ensure the request comes from the original client, not an impersonator?