Hi All, I have a question about security of Device Authorization Grant (RFC 8628) used by a public client.
For a public client, the device authorization endpoint is unauthenticated. So, isn't this a possible attack surface for (D)DoS attacks? When the Authorization Server receives a device authorization request, it typically generates device code, user code etc. and stores them in the server's session storage. If an attacker impersonates a public client and sends a lot of device authorization requests, it can exhaust the server's resource. Or, at least it can prevent legitimate users from using the service, I suppose. I'm not so familiar with DDoS attacks, so I'm not sure we can mitigate the above attack by general defense mechanisms against DDoS. I'd like to hear opinions from experts. Regards, Toshio Ito _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
