OAuth Security BCP and FAPI
As many WG members will be aware there is active work on: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-10
As there is an overlap between the authors of the BCP and members of FAPI, and there are common goals between the 2 documents, I think we need to have a discussion on the connection between the documents.
For my perspective I would like to get FAPI to a position where we can categorically state that compliance with FAPI means that the security BCP is being adhered to.
Torsten has mentioned a few differences: - AS specific redirect_uris (these are only required for public clients) - PKCE (I actually don't think this is an issue, FAPI1 requires it and FAPI2 requires OIDC hybrid mode)
Other differences that I'm aware of: - sender-constrained tokens (the BCP has this as a should, however we don't require it in Part 1)
Comments (10)
-
-
reporter Thanks Brian. We probably need to separate out FAPI part 1 and FAPI part 2.
In FAPI part 1 there isn't a requirement to return the identifier in the authorization response. However there is this clause:
shall use separate and distinct redirect URI for each authorization server that it talks to;
When writing the issue yesterday I thought it was only applicable to public clients, however I've re-checked and all of the requirements for public clients in FAPI part 1 are also applicable to confidential clients.
I will try and do a more exhaustive comparison between draft-ietf-oauth-security-topics and FAPI parts 1 and 2. But I actually think that FAPI part 1 is very close to draft-ietf-oauth-security-topics.
FAPI part 1 does not require OpenID Connect.
-
Right, sorry, I tend to forget about part I.
-
I would support the effort of adherence to the OAuth 2 Security BCP but I also don't believe there're major gaps. Per Dave's comment, a more exhaustive comparison would help identify any gaps between FAPI and BCP.
-
- changed status to closed
Subsumed by the new security model document.
-
- changed component to Part 1: Baseline
-
- changed component to FAPI 1 - Part 1: Baseline
-
- changed component to FAPI 1 – Part 1: Baseline
-
- changed component to FAPI 1 – Baseline
-
- changed component to FAPI 1: Baseline
- Log in to comment
My understanding is that AS specific redirect_uris are a means of protecting against the so called mix-up attacks (not sure what that has to do with only public clients?) and the other countermeasure from draft-ietf-oauth-security-topics of returning identifiers for the AS/OP and client in the authorization response are already incorporated in FAPI with the ID Token as detached signature or JARM.