-
Type:
Story
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 1.0-portal_7.1.0
-
Fix Version/s: 1.0-portal_7.1.0
-
Component/s: None
-
Labels:None
[RFC 8252] OAuth 2.0 for Native Apps recommends native mobile applications to avoid Implicit Grant because Access Token transfer can be intercepted by other native mobile applications running on the same device.
They suggest to implement [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE) to prevent Man-In-The-Middle attack.
This is also applicable to native user agent / SPA applications, because they too are public clients.
It is a special flow based on Authorization Code flow that assures only the native application with possession of a random one-time code_verifier can exchange the authorization code for access token.
- fixes
-
OAUTH2-100 REQ30.PREVENT Attacking ‘redirect_uri’ (leaking authorization codes through custom URI scheme)
-
- Closed
-
- is fixed by
-
OAUTH2-124 Merge REST module to master
-
- Closed
-
- is related to
-
OAUTH2-83 SCR007 OAuth2 Application detail
-
- Closed
-
-
OAUTH2-96 REQ029.UC001 PREVENT Misuse of Authorization Code to Impersonate Resource Owner
-
- Closed
-
-
OAUTH2-97 REQ029.UC002 PREVENT Authorization Code Redirection URI Manipulation (open redirect)
-
- Closed
-
-
OAUTH2-98 REQ029.UC003 PREVENT Attacking ‘redirect_uri’ (leaking authorization codes through XSS)
-
- Closed
-
-
OAUTH2-179 OAuth2 tests covering 7.1.0 release - Part 1 out of 3
-
- Closed
-
- relates
-
OAUTH2-187 DOC: PKCE Authorization Code Grant flow
-
- Closed
-
1.
|
REQ013.UC001 Obtain Authorization Code using PKCE |
|
Closed | Unassigned | |
2.
|
REQ013.UC002 Exchange Authorization Code for Access Token using PKCE |
|
Closed | Unassigned |