search

w3c / wot-security

a repo exclusively for security to better manage issues and security considerations for WoT
https://w3c.github.io/wot-security/
18 stars 22 forks source link

Provide guidance on use of OAuth 2 flows #194

Closed mmccool closed 3 years ago

mmccool commented 3 years ago

In the Security and Privacy Guidelines/Best Practices, we should provide explicit guidance on which flows to use when. In particular, the "client" flow is the only one suitable when a human is not in the loop. This is particularly important for automated scenarios. We also want to state that scripts (using the Scripting API) should NOT be involved in security negotiations; this needs to happen "outside" such scripts.

See https://github.com/w3c/wot/blob/master/PRESENTATIONS/2020-10-online-f2f/2020-10-22-WoT-F2F-Security-OAuth2-Aguzzi.pdf

mmccool commented 3 years ago

Note there is now a section in the Use Cases and Requirements document on OAuth2: https://w3c.github.io/wot-usecases/#oauth We have to at least cite this in our security docs and in Best Practices recommend when particular flows should be used (e.g. device flow for IoT devices...). Note that I'd like to make Best Practices normative for Profiles (MUST), but just strong suggestions otherwise (since the security best practices doc is just informative we can't use RFC2119 assertions...). Technically we probably have to restate the relevant assertions in Profiles. So what should our recommendations be?

mmccool commented 3 years ago

Some possible recommendations:

mmccool commented 3 years ago

@Citrullin has volunteered to copy assertions about OAuth2 from the Use Cases document to the Best Practices document as a starting point for further discussion (please include "Resolves https://github.com/w3c/wot-security/issues/194" in the PR description). Also please comment on this issue for additional input.

Citrullin commented 3 years ago

Opened a PR in the best-practices repository. Review version.

Citrullin commented 3 years ago

Close, since PR is merged.