1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Allowing Arbitrary Grant Types

Issue #1939 resolved
Fabian Hauck created an issue

The Credential Issuance spec leaves open which grant types can be used. If the Implicit Grant is used without a claimed redirect URL, the access token could fall into the hands of the attacker because there is no guarantee that the user will be redirected back to the wallet (native app) they started with. I think there should be some security considerations for using the Implicit Grant, or a recommendation on which grant types implementers should use. Any thoughts on this?

Comments (4)

  3. Kristina Yasuda

    Since VCI is based on OAuth 2.0, Security BCP applies. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#name-implicit-grant. Security BCP clearly states In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response“ and since VCI state for both Authorization and Token endpoints to take into account the recommendations given in [I-D.ietf-oauth-security-topics]. I think the issue is addressed?

  5. Log in to comment
Assignee
Type
proposal
Priority
minor
Status
resolved
Component
Credential Issuance
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!