> On Mar 9, 2023, at 11:00 AM, Jaimandeep Singh
> wrote:
>
> Dear All,
>
> IMO it is not recommended to add this section because of the following:
> (a) It is a very specific use case for SPAs or similar design approach and
> does not warrant mentioning the same in the security BPC as it is
> On Mar 9, 2023, at 1:57 AM, Vittorio Bertocci
> wrote:
>
> On CORS for the authorization endpoint. I thought the MUST NOT was aimed at
> preventing programmatic access to the authorization endpoint from user
> agents. Flipping around: are there any other scenarios involving the
>
Dear All,
IMO it is not recommended to add this section because of the following:
(a) It is a very specific use case for SPAs or similar design approach and
does not warrant mentioning the same in the security BPC as it is further
likely to complicate and misrepresent the issue at hand.
(b) It's
> We can either expand on that nuance, or more simply switch the SHOULD to MAY so that we inform the reader of what it takes to support (a style of SPA) but we don't appear to be advocating for the less secure option.I would argue that BFF is radically more secure and the SHOULD should remain or
It requires third party cookies which most browsers block by default, and
doesn't this assume that the cookie is set to *SameSite=Loose *or
*SameSite=None*. Wouldn't that directly expose that cookie for malicious
sites to utilize it to steal connect2Id generate access tokens?
Also what I don't
Hi all,
In regards to the use cases for CORS in the Authorization endpoint - what
about a SPA requesting a step-up reauthentication? Especially if it is
"silent", e.g. initiating out-of-band authentication without the need for
user interaction. Currently, we don't have too many options; it's
Hello Christopher,The wmrm specification use does not require CORS at the authorization endpoint. - Filip9. 3. 2023 v 10:12, Christopher Burroughs :Greetings,I apologize in advance if this question (my first in this list!) is silly :)Regarding CORS support for the authorization endpoint, what
Greetings,
I apologize in advance if this question (my first in this list!) is silly :)
Regarding CORS support for the authorization endpoint, what about "web message"
silent refresh flows? While it never became an RFC, I reckon it is implemented
in quite a few places. Is this pattern
Ha, we chatted about this during yesterday's office hours meeting and I was
chartered to propose new language, but I am not sure how to incorporate
this new info. Let me try to summarize here and see your reactions, DW.
Apps implemented in SPAs style can either handle token acquisition and
renewal