Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ODATA-1643: Discourage use of implicit grant #238

Merged
merged 1 commit into from
Feb 28, 2024
Merged

ODATA-1643: Discourage use of implicit grant #238

merged 1 commit into from
Feb 28, 2024

Conversation

ralfhandl
Copy link
Contributor

ralfhandl
ralfhandl commented Feb 23, 2024
View reviewed changes
vocabularies/Org.OData.Authorization.V1.xml
@@ -123,6 +123,7 @@
</ComplexType>

<ComplexType Name="OAuth2Implicit" BaseType="Authorization.OAuthAuthorization">
<Annotation Term="Core.Description" String="Security note: OAuth2 implicit grant is considered to be not secure and should not be used by clients, see [OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics.html#name-implicit-grant)." />
Copy link
Contributor Author

@ralfhandl ralfhandl Feb 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/05-Testing_for_OAuth_Weaknesses states that

Two flows will be deprecated in the release of OAuth2.1, and their usage is not recommended:

  • Implicit Flow*: PKCE’s secure implementation renders this flow obsolete. Prior to PKCE, the implicit flow was used by client-side applications such as single page applications since CORS relaxed the same-origin policy for sites to inter-communicate. For more information on why the implicit grant is not recommended, review this section.

This does not sound like a recommendation to use PKCE with implicit grant flow.

@HeikoTheissen HeikoTheissen changed the title Discourage use of implicit grant ODATA-1643: Discourage use of implicit grant Feb 28, 2024
@HeikoTheissen HeikoTheissen merged commit 1b596f3 into main Feb 28, 2024
1 check passed
@HeikoTheissen HeikoTheissen deleted the security/discourage-OAuth2-implicit-grant branch February 28, 2024 17:18
@ralfhandl ralfhandl mentioned this pull request Mar 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HeikoTheissen HeikoTheissen HeikoTheissen approved these changes

@mikepizzo mikepizzo Awaiting requested review from mikepizzo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ralfhandl @HeikoTheissen