Skip to content

Address OAuth security considerations #236

New issue
New issue
Open
Open
Address OAuth security considerations#236
@jspahrsummers

Description

@jspahrsummers
jspahrsummers
opened on Mar 28, 2025

Follow-up from #151.

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#name-security-considerations

  • Authorization servers MUST prevent clickjacking attacks. Multiple countermeasures are described in [RFC6819], including the use of the X-Frame-Options HTTP response header field and frame-busting JavaScript. In addition to those, authorization servers SHOULD also use Content Security Policy (CSP) level 2 [CSP-2] or greater.
  • Based on its risk assessment, the AS needs to decide whether it can trust the redirect URI or not. It could take into account URI analytics done internally or through some external service to evaluate the credibility and trustworthiness content behind the URI, and the source of the redirect URI and other client data.
  • The AS SHOULD only automatically redirect the user agent if it trusts the redirect URI. If the URI is not trusted, the AS MAY inform the user and rely on the user to make the correct decision.
  • Add iss parameter, per https://www.rfc-editor.org/rfc/rfc9207.html
  • Require 127.0.0.1 instead of localhost?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions