HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jogux

no profile record

comments

jogux
·2 lata temu·discuss
DPoP isn't mandated, MTLS sender constrained access tokens are selected by a lot of people instead of DPoP. (And yes I agree, MTLS has challenges in some cases.)

Stateful refresh tokens have other practical issues, we've seen several cases in OpenBanking ecosystems where stateful refresh tokens resulted in loss of access for large numbers of users which things went wrong.

The quirks you mention are sorted in the next revision. The cipher requirements come from the IETF TLS BCP [1] (which is clearer in the new version). If you think the IETF TLS WG got it wrong, please do tell them.

As other people said elsewhere, this isn't about completeness - OAuth2.1 is a framework, FAPI is something concrete you can for the large part just follow, and then use the FAPI conformance tests to confirm if you correctly implemented it or not. If you design an authorization code flow flowing all the recommendations in OAuth 2.1, you'll end up implementing FAPI. Most people not in this space implementing OAuth will struggle to know how to avoid the traps once they stop following the recommendations, as "implementing OAuth securely" isn't usually their primary mission.

1: https://www.rfc-editor.org/info/bcp195
jogux
·2 lata temu·discuss
There at least a few others left, https://gitlab.com is one I regularly use.

Sadly the amount of money you need to spend on security & support for such a service does make offering such a service (particularly for free) not viable for smaller entities, there are some big economies of scale to make these things viable that work particularly well if you can also get big companies to pay for commercial offerings.
jogux
·2 lata temu·discuss
It's a double edged sword. Actually creating a good standard that people want to use through an open process that aims to be unbiased takes a non-trivial amount of time and hence costs a not insubstantial amount of money. Different standards organisations have chosen different approaches to solving that problem, and although I completely agree and freely available standards are my preferred approach, it is also very clear that ISO standards are well respected and widely used despite the need to pay to view them in some cases.
jogux
·2 lata temu·discuss
My understanding it is quite often government/country contexts where (because ISO is recognised in various international treaties) it is easier to get approval to use an ISO standard than it is to use an OpenID Foundation standard. So getting OpenID Connect published with an ISO number just makes adoption easier for some projects.

OpenID Connect does of course remain free view/use, but now people in the above situation have an easier option available to them.
jogux
·2 lata temu·discuss
Historically the IETF has been reluctant to get involved with Identity (and hence authentication) for various reasons. There are a few standards bodies in this area and they all have their strengths and weaknesses (the presentation by Heather Flanagan someone linked to elsewhere in the thread gives a good introduction).

Even some RFCs are basically available as ISO standards and vice versa, e.g. for time/date formats you almost never need to buy ISO8601 and can just read RFC3339 (which is technically a 'profile' of ISO8601).
jogux
·2 lata temu·discuss
I wasn't really following OAuth back in those days, but I have heard much of the history from those that were there are the time, and there were some of the failures of some of the early specs in this area for being too secure - and hence to hard to implement and failing to be adopted.

Was OAuth2 wrong to land exactly where it did on security back in 2012 or before? It seems really hard to say - it clearly didn't have great security, but it was easy to implement and where would we have ended up if it had better security but much poorer adoption?

Does the OAuth working group recognise those failures and has it worked hard to fixed them over the years since? Yes, very much so.

Has OAuth2 being adopted in use cases that do require high levels of security? Yes, absolutely, OpenBanking and OpenHealth ecosystems around the world are built on top of OAuth2. In particular the FAPI profile of OAuth2 that gives a pretty much out-of-the-box recipe for how to easily comply with the OAuth security best current practices document, https://openid.net/specs/fapi-2_0-security-profile.html (Disclaimer: I'm one of the authors of FAPI2, or at least will be when the next revision is published.)

Is it still a struggle to try and get across to people in industries that need higher security (like banking and health) that they need to stop using client secrets, ban bearer access tokens, to mandate PKCE, and so on? Yes. Yes it is. I have stories.
jogux
·2 lata temu·discuss
"Through I'm not sure if requiring (instead of just allowing) PKCE is strictly OIDC compliant"

It's technically not compliant, but people definitely do so, and there are definite security advantages to requiring it.

Technically the 'nonce' in OpenID Connect provides the same protections, and hence the OAuth Security BCP says (in a lot more words) that you may omit PKCE when using OIDC. However in practice, based on a period in the trenches that I've mostly repressed now, the way the mechanisms were designed means clients are far more likely to use PKCE correctly than to use nonce correctly.)
jogux
·2 lata temu·discuss
Yes, indeed. Both OAuth 2.1 & the BCP tighten things up a lot, although neither is technically final yet (the security BCP should be published as an RFC "any day now").

For people looking for an easy-to-follow interoperability/security profile for OAuth2 (assuming they're most interested in authorization code flow, though it's not exclusive to that) FAPI2 is a good place to look, the most recent official is here:

https://openid.net/specs/fapi-2_0-security-profile.html

This is a good bit shorter than the 50 or so pages of security BCP :)

FAPI2 should also be moving to 'final' status within the next few months.

(Disclaimer: I'm one of the authors of FAPI2, or will be once the updated version is published.)