- changed status to resolved
Passing access tokens in url query not disallowed in FAPI2SP?
Issue #708
resolved
When reviewing the FAPI2 tests (which were created from the FAPI1 tests) the certification team have realised there’s no longer an equivalent clause to FAPI1 baseline’s “shall not accept access tokens in the query parameters stated in Section 2.3 of OAuth 2.0 Bearer Token Usage RFC6750;“
It is mentioned in security BCP: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.3.2
and in OAuth 2.1: https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html#section-5.1
The certification team is not sure whether to retain the check that a resource server does not accept an access token in the url query, and if it is retained if it should just be a warning or if there is normative text somewhere that justifies a failure.
Comments (1)
-
reporter
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 1
Wait, no... this is there in FAPI2, https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html#section-5.3.4 . I think I'm looking at the wrong thing on my list or something. Closing.