[OAUTH-WG] Dynamic Client Registration with Native Apps

client. > Anyone reverse engineering their own installation of the native app would > only extract their own client's credentials, as opposed to the shared secret > of all installations. Having a confidential client means that requests to the > token endpoint (code, refresh) are client au

[OAUTH-WG] Dynamic Client Registration with Native Apps

nfidential Client? Which threats are covered if Dynamic Client Registration is used on Native Apps? Best Regards, Vladi/Christian [1]: https://tools.ietf.org/html/rfc8252#section-8.4 -- Dr.-Ing. Christian Mainka Horst Görtz Institute for IT-Security Chair for Network and Data Security Ruhr-

[OAUTH-WG] draft-parecki-oauth-browser-based-apps-01

PS URIs without wildcard domains or paths" Covert redirect can be used by abusing unprotected GET parameters (which are technically not the PATH). So maybe it would be better to say simply "without wildcards" or "without wildcard domains, paths, or querys"? - Section 7.

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

irect_uri. Regards Christian [1]: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.4.2 [2]: Step 4 in https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-4.4.1 On 02.12.19 11:26, Daniel Fett wrote: > Am 02.12.19 um 10:05 schrieb Chr

Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

utomatically applied. > These are more intrusive changes than the per-AS redirect URI and may > require new parameters. > > Daniel > > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Dr.-Ing. Christian Mainka Horst Görtz Insti

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

tergericht: Amtsgericht Bochum, HRB 14896 Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/list

[OAUTH-WG] Security Topics | Incorporate in-browser communication security considerations | PR53

Dual-Window Single Sign-On, https://distinct-sso.com/paper.pdf [2]: https://github.com/oauthstuff/draft-ietf-oauth-security-topics/pull/53 -- Dr.-Ing. Christian Mainka Horst Görtz Institute for IT-Security Chair for Network and Data Security Ruhr University Bochum, Germany Universitätsstr. 150, ID

Re: [OAUTH-WG] Security Topics | Incorporate in-browser communication security considerations | PR53

, 27 Oct 2022, 02:16 Daniel Fett, wrote: Hi Christian, thanks for bringing this to our attention! I think the recommendations in the PR are very helpful and we will consider adding the text to the document. -Daniel Am 25.10.22 um 15:37 schrieb Christian Mainka: Hi, we would like to request