-
assigned issue to
Basic - 6.1 Assertion Manufacture/Modification : In implicit flow, assetion may be sent over non-TLS channel
Issue #98
resolved
The spec requires the server endpoints to be TLS, but not the Clients. In implicit flow, the Assertion may be sent first to the browser, then to the non-TLS Client. Thus, the sentence is wrong.
For non-TLS Web Server Client, one MUST use code flow to mitigate this attack. For Web Browser Client which was loaded from a non-TLS origin, one SHOULD use implicit flow to avoid passing access_token over a clear channel.
Comments (4)
-
-
- changed status to open
-
Sec 3 was changed to state that clients MUST use TLS for this flow. Non TLS clients must use the code flow
-
- changed status to resolved
fixes
#98added xref to standard for code flow - Log in to comment