V51 OAuth: Add new OIDC Authorization Server verifications #2047
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
2) Awaiting response
Awaiting a response from the original poster
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
The following verifications are suggested to be added to the proposed new OIDC chapter (see #2037).
Authorization Server
Verify that well known industry standard Authorization Servers are used, preferably these services are certified and listed at https://openid.net/certification/#OPENID-OP-P. For L3 applications they should also be implement the FAPI security profile.
Verify that only the grant types 'code', 'ciba' or 'id-token' are used. Note that FAPI 2.0 recommends 'code' over the OIDC Hybrid flow 'id-token code' (which was previously recommended in FAPI 1.0).
Verify that all clients requiring access tokens are using the 'code' grant or, if needed for device flows, the 'ciba' grant.
The text was updated successfully, but these errors were encountered: