In the previous post we looked at some OAuth security considerations. In this post we review the IANA considerations from RFC.
First, the token types have to be registered with the OAuth external review mailing list.
Examples could be included with the registration request. Registry updates must only be done by designated experts.
Registration templates include type name, authentication scheme, change controller and specification document.
Initial registry contents include
First, the token types have to be registered with the OAuth external review mailing list.
Examples could be included with the registration request. Registry updates must only be done by designated experts.
Registration templates include type name, authentication scheme, change controller and specification document.
Initial registry contents include
- client_id,
- client_secret,
- response_type,
- redirect_uri,
- scope,
- state,
- code,
- error_description,
- error_uri,
- grant_type,
- access_token,
- token_type,
- expires_in,
- username,
- password
- refresh_token
Response types are also registered. Again these include response type name, change controller and specification document
OAuth testing should cover these registrations. For example, tests should cover the different response types and token types.
OAuth testing requires clients and users mapping to be tested. In addition, resource management policies should be tested. For example, resource management testing should include test that the public clients should don't have access to the user profiles. Similarly user profiles based access should have access to the non-user-profile specific information.
A specially designated admin client is useful for offloading the troubleshooting to non-development. teams. however, that may be for internal use and should ideally be built without modifying the existing protocol implementation.
OAuth testing should cover these registrations. For example, tests should cover the different response types and token types.
OAuth testing requires clients and users mapping to be tested. In addition, resource management policies should be tested. For example, resource management testing should include test that the public clients should don't have access to the user profiles. Similarly user profiles based access should have access to the non-user-profile specific information.
A specially designated admin client is useful for offloading the troubleshooting to non-development. teams. however, that may be for internal use and should ideally be built without modifying the existing protocol implementation.
No comments:
Post a Comment