Hi, As Joseph already mentioned oauch tool aims to do that and their results have been published in a paper available here <https://dl.acm.org/doi/abs/10.1145/3545948.3545955>.
In addition to OAuch, another example of a tool that can be used for the same purpose is Micro-ID-Gym (MIG) that you can learn more about it here <https://st.fbk.eu/tools/Micro-Id-Gym>. Thanks, Amir On Thu, Apr 6, 2023 at 10:54 AM Joseph Heenan <jos...@authlete.com> wrote: > Hi > > It’s not exactly what you asked for, but https://oauch.io/ was aiming to > do this - although the online site currently seems to give a 500 error > after logging in for me. > > I’m sure the team behind it were planning to publish the results of the > tool, but I can’t remember if they did yet. > > There’s also the various certification tools the OpenID Foundation have > (disclaimer: I work on these tools), though [other than the FAPI2 tests] > these all also require that the server supports OpenID, and they give more > of a pass/fail rather than a score. > > Cheers > > Joseph > > > > > > On 6 Apr 2023, at 16:41, M Hickford <mirth.hickf...@gmail.com> wrote: > > > > Has anyone tried scoring how well public OAuth authorization servers > > follow tbe best practices described in > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics > > ? > > > > I scored some software forges including GitHub, GitLab, BitBucket on a > > subset of best practices > > https://github.com/hickford/git-credential-oauth/issues/17 . This > > identified multiple issues. For example, of those three servers, only > > GitLab supports PKCE > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- *Amir Sharif* *Researcher* *Security and Trust Research Unit* *Cybersecurity Center* *Fondazione Bruno Kessler, Trento, Italy* personal page:https://st.fbk.eu/people/amir-sharif FBK web: www.fbk.eu Security &Trust web: st.fbk.eu -- -- Le informazioni contenute nella presente comunicazione sono di natura privata e come tali sono da considerarsi riservate ed indirizzate esclusivamente ai destinatari indicati e per le finalità strettamente legate al relativo contenuto. Se avete ricevuto questo messaggio per errore, vi preghiamo di eliminarlo e di inviare una comunicazione all’indirizzo e-mail del mittente. -- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you received this in error, please contact the sender and delete the material.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
