-
-
Notifications
You must be signed in to change notification settings - Fork 665
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V51 OAuth: Add new OIDC Resource Server verifications #2049
Comments
Verifying that only access tokens are used for authorization (i.e. when used by a non malicious client) is not the same as verifying that only access tokens are usable for authorization (lack of token type confusion vulnerability). Should this requirement address only the former point or both? |
Related or duplicate discussion #2005? |
@randomstuff reading this once more I understand the difference in wording and my intention was usable, so I suggest a change to
@elarlang I think this is the same discussion as #2005, maybe close this one and continue the discussion there, or the other way around? |
Well, let's keep this discussion in #2005 (comment). Closed as duplicate. |
The following verifications are suggested to be added for the Resource Server to the proposed new OIDC chapter (see #2037).
Resource Server
Verify that only access tokens are used for authorization, not other kinds of tokens like ID Tokens or Logout tokens. (L1,L2,L3)
The text was updated successfully, but these errors were encountered: