" don't use the Implicit or Resource Owner Password Credentials grant types"
I cannot overstate how strongly I would support this recommendation in particular! Best regards Rob On Tue, 19 Nov 2019 at 10:07, Hans Zandbelt <[email protected]> wrote: > How about: > > - don't use the Implicit or Resource Owner Password Credentials grant > types > - perform exact matching of redirect URIs and make then Client/AS specific > - use PKCE > > Hans. > > On Tue, Nov 19, 2019 at 5:58 PM Torsten Lodderstedt < > [email protected]> wrote: > >> >> >> > On 19. Nov 2019, at 17:10, Hans Zandbelt <[email protected]> >> wrote: >> > >> > >> > >> > On Tue, Nov 19, 2019 at 10:38 AM Torsten Lodderstedt < >> [email protected]> wrote: >> > Hi Hans, >> > >> > > On 18. Nov 2019, at 04:11, Hans Zandbelt <[email protected]> >> wrote: >> > > >> > > Hi, >> > > >> > > Please find my feedback from page 21 onwards below. >> > > >> > > Hans. >> > > >> > > Overall I would argue there's room for a very concise guidance >> section that says: do this, don't do that, without explanation, just as a >> reference for developers; the current text provides in depth analysis but >> that is perhaps not suitable for developers who just want to know what to >> do (or not to do) and don't really care about the background/reasoning >> > >> > While section 4 gives the raw security threat analysis, we tried to >> summarise the actionable guidance in section 3. What do you miss there? >> > >> > I'd rather see it even shorter and more concise, but I guess you're >> right, it is there >> >> Do you want to suggest some text? >> >> > >> > > >> > > P21 >> > > first bullet >> > > "the client has bound this data to this particular instance." -> >> particular instance of what? >> > >> > This bullet refers to the note above. >> > >> > "Note: this check could also detect attempts to inject a code which >> > had been obtained from another instance of the same client on another >> > device, if certain conditions are fulfilled:" >> > >> > ok, I see >> > >> > > >> > > 3rd paragraph: >> > > "call to the tokens endpoint." -> "call to the token endpoint." >> > >> > Fixed >> > >> > > >> > > last paragraph could forward point to the next section by adding >> something like >> > > "using one of the mechanisms described in the next section." >> > >> > Incorporated >> > >> > > >> > > P22 >> > > 3rd paragraph: >> > > is the token binding guidance still accurate? it seems to be >> overestimating the adoption >> > >> > You mean this statement? >> > >> > "Token binding is >> > promising as a secure and convenient mechanism (due to its browser >> > integration). As a challenge, it requires broad browser support >> > and use with native apps is still under discussion.” >> > >> > yeah, but after re-reading I guess this actually spells out the >> adoption conditions, so it is fine >> > >> > Hans. >> > >> > >> > Thanks, >> > Torsten. >> > >> > > >> > > -- >> > > [email protected] >> > > ZmartZone IAM - www.zmartzone.eu >> > > _______________________________________________ >> > > OAuth mailing list >> > > [email protected] >> > > https://www.ietf.org/mailman/listinfo/oauth >> > >> > >> > >> > -- >> > [email protected] >> > ZmartZone IAM - www.zmartzone.eu >> >> > > -- > [email protected] > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- <https://www.pingidentity.com>[image: Ping Identity] <https://www.pingidentity.com> Rob Otto EMEA Field CTO/Solutions Architect [email protected] c: +44 (0) 777 135 6092 Connect with us: [image: Glassdoor logo] <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image: LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter logo] <https://twitter.com/pingidentity> [image: facebook logo] <https://www.facebook.com/pingidentitypage> [image: youtube logo] <https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo] <https://plus.google.com/u/0/114266977739397708540> [image: Blog logo] <https://www.pingidentity.com/en/blog.html> <https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ> <https://www.pingidentity.com/en/events/d/identify-2019.html> -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
