Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Repeated authorization requests #140

Open
aaronpk opened this issue Mar 13, 2023 · 2 comments
Open

Repeated authorization requests #140

aaronpk opened this issue Mar 13, 2023 · 2 comments
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116

Comments

@aaronpk
Copy link
Member

aaronpk commented Mar 13, 2023

From RFC6749 Security Considerations

The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to
ensure that the repeated request comes from the original client and
not an impersonator.

(Vittorio) This is unclear. As it currently reads it seems to prohibit things like getting a new authz code silently via iframe (and prompt=none or equivalent UX suppressing mechanism, please ignore the ITP complications for the sake of argument).

@aaronpk aaronpk added draft-00-feedback Feedback from reviews of draft -00 ietf-116 labels Mar 13, 2023
@tlodderstedt
Copy link
Collaborator

I would say, the current practice is ok as long as there are alternative counter measures in place, e.g. if the AS is sure the code is only released to the legit owner of the client id because it controls the redirect URI.

@aaronpk
Copy link
Member Author

aaronpk commented Jul 14, 2023

In OAuth 2.0, registration of the redirect URI was not required, which is why this paragraph is in here.

Now that registration is required in OAuth 2.1, the concern of being redirected to arbitrary redirect URIs silently without user interaction is much less.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
draft-00-feedback Feedback from reviews of draft -00 ietf-116
Projects
None yet
Development

No branches or pull requests

2 participants