Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

Why not RECOMMEND PKCE for CSRF protection, instead of that "MAY"? And in some cases MUST (verb) PKCE? //Axel From: Justin Richer Date: Wednesday, 3. January 2024 at 19:53 To: Nennker, Axel Cc: mail=40danielfett...@dmarc.ietf.org , oauth@ietf.org Subject: Re: [OAUTH-WG] Shepherd Review of dra

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

On Jan 3, 2024, at 12:30 PM, axel.nenn...@telekom.de wrote: The email discussion triggered me jumping into the discussion. Also, I am looking into this from a Camara PoV. https://github.com/camaraproject/IdentityAndConsentManagement Camara is about to define what is a MUST for authorization server

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

The email discussion triggered me jumping into the discussion. Also, I am looking into this from a Camara PoV. https://github.com/camaraproject/IdentityAndConsentManagement Camara is about to define what is a MUST for authorization servers etc and we are taking FAPI and the OAuth2 security best pr

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

Hi Axel, It is to be expected that not all AS will immediately upgrade to adhere to the security BCP after its release. So a client who wants to use PKCE may encounter AS that don't support it. See also the discussion in https://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

Hi Daniel, there is also this sentence in this section https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant in a paragraph on it own. "Authorization servers MUST support PKCE [RFC7636

[OAUTH-WG] OAuth WG Virtual Office Hours cancelled today

All, Happy new year! I have cancelled the meeting for this week. Regards, Rifaat ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Canceled Webex meeting: OAuth WG Virtual Office Hours

BEGIN:VCALENDAR PRODID:-//Microsoft Corporation//Outlook 10.0 MIMEDIR//EN VERSION:2.0 METHOD:CANCEL BEGIN:VTIMEZONE TZID:America/New_York LAST-MODIFIED:20221105T024526Z TZURL:https://www.tzurl.org/zoneinfo-outlook/America/New_York X-LIC-LOCATION:America/New_York BEGIN:DAYLIGHT TZNAME:EDT TZOFFSETFR

Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23

Hi Axel, I would be happy to see OAuth move away from state as a CSRF protection mechanism in the future, but there is not too much to be gained from relying solely on PKCE right now. The main advantage is that relying on PKCE incentivizes clients to properly manage the session state in a coo