1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

OAuth Security BCP and FAPI

Issue #196 closed
Dave Tonge created an issue

As many WG members will be aware there is active work on: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10

As there is an overlap between the authors of the BCP and members of FAPI, and there are common goals between the 2 documents, I think we need to have a discussion on the connection between the documents.

For my perspective I would like to get FAPI to a position where we can categorically state that compliance with FAPI means that the security BCP is being adhered to.

Torsten has mentioned a few differences: - AS specific redirect_uris (these are only required for public clients) - PKCE (I actually don't think this is an issue, FAPI1 requires it and FAPI2 requires OIDC hybrid mode)

Other differences that I'm aware of: - sender-constrained tokens (the BCP has this as a should, however we don't require it in Part 1)

Comments (10)

  1. Brian Campbell

    My understanding is that AS specific redirect_uris are a means of protecting against the so called mix-up attacks (not sure what that has to do with only public clients?) and the other countermeasure from draft-ietf-oauth-security-topics of returning identifiers for the AS/OP and client in the authorization response are already incorporated in FAPI with the ID Token as detached signature or JARM.

  2. Dave Tonge reporter

    Thanks Brian. We probably need to separate out FAPI part 1 and FAPI part 2.

    In FAPI part 1 there isn't a requirement to return the identifier in the authorization response. However there is this clause:

    shall use separate and distinct redirect URI for each authorization server that it talks to;

    When writing the issue yesterday I thought it was only applicable to public clients, however I've re-checked and all of the requirements for public clients in FAPI part 1 are also applicable to confidential clients.

    I will try and do a more exhaustive comparison between draft-ietf-oauth-security-topics and FAPI parts 1 and 2. But I actually think that FAPI part 1 is very close to draft-ietf-oauth-security-topics.

    FAPI part 1 does not require OpenID Connect.

  4. Bjorn Hjelm

    I would support the effort of adherence to the OAuth 2 Security BCP but I also don't believe there're major gaps. Per Dave's comment, a more exhaustive comparison would help identify any gaps between FAPI and BCP.

  11. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
FAPI 1: Baseline
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!