Nat / oauth-jwsreq / issues / #27 - SECDIR Review: Section 10.2 - how to do the agreement between client and server "a priori"? — Bitbucket

Issue #27 resolved

Nat Sakimura repo owner created an issue 2017-01-17

Section 10.2 indicates that a client and server might agree, a priori, to use the non-protected parameters transmitted in a request. It does not indicate how this might have been done (hopefully, in a secure fashion).

Comments (2)

Nat Sakimura reporter
- assigned issue to
  
  John Bradley
IMHO, that is out of scope of the document. It could have been an agreement in a risk evaluation f2f meeting. When it uses un-protected parameters, the authorization request is not secure within the application layer. However, there could be some other control mechanisms outside OAuth to make the transaction secure anyways.
- 2017-01-23T08:33:09+00:00
Nat Sakimura reporter
- changed status to resolved
Fixed ~~#27~~

→ <<cset 5cf1abbe08b8>>
- 2017-01-30T04:33:01+00:00
Log in to comment

Assignee: John Bradley

Type: enhancement

Priority: major

Status: resolved

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!