Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confirm we are following OAuth current best (security) practices #3020

Open
gerardsn opened this issue Apr 5, 2024 · 2 comments
Open

Confirm we are following OAuth current best (security) practices #3020

gerardsn opened this issue Apr 5, 2024 · 2 comments
Milestone

Comments

@gerardsn
Copy link
Member

gerardsn commented Apr 5, 2024

Most up to date security practices: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-25
OAuth 2.1: https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/10/ This contains changes that could be breaking with 2.0 due to differences in the spec and most implementations, but these are clearly listed. Other than that it is a good summary of the best practices.

@gerardsn gerardsn added this to the V6 milestone Apr 5, 2024
@reinkrul
Copy link
Member

reinkrul commented Apr 30, 2024

Good practice i.m.o. is limiting the amount of bytes read to an in-memory buffer (or in general) when processing HTTP responses from outside sources (e.g. access token/authorize response).

Golang/x/oauth2 does this quite cleanly with a LimitReader: https://github.com/golang/oauth2/blob/84cb9f7f5c5a639955cd501bfdd54f0e63997e61/jwt/jwt.go#L139

See: #3076

@woutslakhorst woutslakhorst added the rc issues for release candidate label Jun 5, 2024
@woutslakhorst woutslakhorst added final and removed rc issues for release candidate labels Sep 12, 2024
@woutslakhorst
Copy link
Member

Scanned the best-practises. Still relevant for OpenID4VP and the authorization code flow. Not for 6.0 though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants