Hi It’s not exactly what you asked for, but https://oauch.io/ was aiming to do this - although the online site currently seems to give a 500 error after logging in for me.
I’m sure the team behind it were planning to publish the results of the tool, but I can’t remember if they did yet. There’s also the various certification tools the OpenID Foundation have (disclaimer: I work on these tools), though [other than the FAPI2 tests] these all also require that the server supports OpenID, and they give more of a pass/fail rather than a score. Cheers Joseph > On 6 Apr 2023, at 16:41, M Hickford <mirth.hickf...@gmail.com> wrote: > > Has anyone tried scoring how well public OAuth authorization servers > follow tbe best practices described in > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics > ? > > I scored some software forges including GitHub, GitLab, BitBucket on a > subset of best practices > https://github.com/hickford/git-credential-oauth/issues/17 . This > identified multiple issues. For example, of those three servers, only > GitLab supports PKCE > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
