- edited description
Allowing Arbitrary Grant Types
The Credential Issuance spec leaves open which grant types can be used. If the Implicit Grant is used without a claimed redirect URL, the access token could fall into the hands of the attacker because there is no guarantee that the user will be redirected back to the wallet (native app) they started with. I think there should be some security considerations for using the Implicit Grant, or a recommendation on which grant types implementers should use. Any thoughts on this?
Comments (4)
-
reporter -
- changed status to new
-
Since VCI is based on OAuth 2.0, Security BCP applies. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#name-implicit-grant. Security BCP clearly states
In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response
“ and since VCI state for both Authorization and Token endpoints totake into account the recommendations given in [I-D.ietf-oauth-security-topics].
I think the issue is addressed? -
reporter - changed status to resolved
- Log in to comment