Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC-Conformity depends on Implementation #79

Open
Uzlopak opened this issue Nov 18, 2021 · 2 comments
Open

RFC-Conformity depends on Implementation #79

Uzlopak opened this issue Nov 18, 2021 · 2 comments
Labels
compliance 📜 OAuth 2.0 standard compliance documentation 📑 Improvements or additions to documentation hacktoberfest
Milestone
v4.4

Comments

@Uzlopak
Copy link
Collaborator

Uzlopak commented Nov 18, 2021

We should document, that some conformity rules can only be implemented by the express/fastify/koa-etc. layer.

Maybe we should collect the MUST rules for meeting the conformity requirements but are (currently?) out of scope of the oauth2-server.

  • the authorization endpoint MUST support the GET method. probably alot of people only implement the post but not the get method.
   The authorization server MUST support the use of the HTTP "GET"
   method [RFC2616] for the authorization endpoint and MAY support the
   use of the "POST" method as well.

https://datatracker.ietf.org/doc/html/rfc6749#section-3.1

  • TLS is also necessary, which is not enforced by the oauth2-server
   The authorization server MUST require the use of TLS as described in
   Section 1.6 when sending requests using password authentication.

https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

  • Brute-Force Protection for the endpoints is also a MUST regarding the RFC.
   Since this client authentication method involves a password, the
   authorization server MUST protect any endpoint utilizing it against
   brute force attacks.
@jankapunkt
Copy link
Member

This is a very good idea, because it would help client implementations to write their own compliance suite much more efficiently.

@jankapunkt jankapunkt added compliance 📜 OAuth 2.0 standard compliance documentation 📑 Improvements or additions to documentation labels Nov 19, 2021
@jankapunkt
Copy link
Member

We should create a documentation like COMPLIANCE.md for that.

@jankapunkt jankapunkt mentioned this issue Dec 10, 2021
Closed
@jankapunkt jankapunkt linked a pull request Dec 10, 2021 that will close this issue
Scope is optional with authorization code grant #103
Closed
@jankapunkt jankapunkt added this to the v4.3 milestone Aug 25, 2022
@jankapunkt jankapunkt modified the milestones: v4.3, v4.4 Mar 21, 2023
@jorenvandeweyer jorenvandeweyer mentioned this issue Aug 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
compliance 📜 OAuth 2.0 standard compliance documentation 📑 Improvements or additions to documentation hacktoberfest
Projects
None yet
Milestone
v4.4
Development

Successfully merging a pull request may close this issue.

Scope is optional with authorization code grant FStefanni/node-oauth2-server
2 participants
@jankapunkt @Uzlopak