> On Mar 9, 2023, at 11:00 AM, Jaimandeep Singh
> wrote:
>
> Dear All,
>
> IMO it is not recommended to add this section because of the following:
> (a) It is a very specific use case for SPAs or similar design approach and
> does not warrant mentioning the same in the security BPC as it is
> On Mar 9, 2023, at 1:57 AM, Vittorio Bertocci
> wrote:
>
> On CORS for the authorization endpoint. I thought the MUST NOT was aimed at
> preventing programmatic access to the authorization endpoint from user
> agents. Flipping around: are there any other scenarios involving the
> authoriz
Dear All,
IMO it is not recommended to add this section because of the following:
(a) It is a very specific use case for SPAs or similar design approach and
does not warrant mentioning the same in the security BPC as it is further
likely to complicate and misrepresent the issue at hand.
(b) It's
> We can either expand on that nuance, or more simply switch the SHOULD to MAY so that we inform the reader of what it takes to support (a style of SPA) but we don't appear to be advocating for the less secure option.I would argue that BFF is radically more secure and the SHOULD should remain or ev
It requires third party cookies which most browsers block by default, and
doesn't this assume that the cookie is set to *SameSite=Loose *or
*SameSite=None*. Wouldn't that directly expose that cookie for malicious
sites to utilize it to steal connect2Id generate access tokens?
Also what I don't und
Hi all,
In regards to the use cases for CORS in the Authorization endpoint - what
about a SPA requesting a step-up reauthentication? Especially if it is
"silent", e.g. initiating out-of-band authentication without the need for
user interaction. Currently, we don't have too many options; it's eithe
Hello Christopher,The wmrm specification use does not require CORS at the authorization endpoint. - Filip9. 3. 2023 v 10:12, Christopher Burroughs :Greetings,I apologize in advance if this question (my first in this list!) is silly :)Regarding CORS support for the authorization endpoint, what abou
Greetings,
I apologize in advance if this question (my first in this list!) is silly :)
Regarding CORS support for the authorization endpoint, what about "web message"
silent refresh flows? While it never became an RFC, I reckon it is implemented
in quite a few places. Is this pattern generally
Ha, we chatted about this during yesterday's office hours meeting and I was
chartered to propose new language, but I am not sure how to incorporate
this new info. Let me try to summarize here and see your reactions, DW.
Apps implemented in SPAs style can either handle token acquisition and
renewal
I would suggest SHOULD guidance for CORS for OAuth token endpoints and
authorization endpoints which are publicly accessible.
There are a lot of misconceptions about the security properties of CORS, and in
particular the security properties from disabling CORS for an otherwise safe
resource. To
I don't know the best language either but very much concur with the
sentiment.
On Wed, Mar 8, 2023 at 8:36 AM Aaron Parecki wrote:
> Since that is my comment referenced in the OpenID thread, I should clarify
> that my intent was to have this language in the Security BCP with the
> caveat that it
Since that is my comment referenced in the OpenID thread, I should clarify
that my intent was to have this language in the Security BCP with the
caveat that it's only applicable if your AS intends on supporting SPAs. In
other words, we're not saying all ASs SHOULD add CORS headers, only ASs
that in
I propose adding the following section to the OAuth Security BCP specification:
Usage of CORS
The Token Endpoint,
Authorization Server Metadata Endpoint,
jwks_uri Endpoint,
Dynamic Client Registration Endpoint,
and any other en
13 matches
Mail list logo
