Hi all, thanks for your feedback. Here is my text proposal for section 3.8.1.
—— Attackers could try to utilize a user's trust in the authorization server (and its URL in particular) for performing phishing attacks. RFC 6749 already prevents open redirects by stating the AS MUST NOT automatically redirect the user agent in case of an invalid combination of client_id and redirect_uri. However, as described in [I-D.ietf-oauth-closing-redirectors], an attacker could also utilize a correctly registered redirect URI to perform phishing attacks. It could for example register a client via dynamic client registration and intentionally send an erroneous authorization request, e.g. by using an invalid scope value, to cause the AS to automatically redirect the user agent to its phishing site. The AS MUST take precautions to prevent this threat. Based on its risk assessment the AS needs to decide whether it can trust the redirect URI or not and should only automatically redirect the user agent, if it trusts the redirect URI. If not, it could inform the user that it is about to redirect her to the another site and rely on the user to decide or just inform the user about the error. —— kind regards, Torsten.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth