[Openid-specs-heart] Comments on Draft HEART Profile for OAuth 2.0
Luis C. Maas III, M.D., Ph.D.
lcmaas at emrdirect.com
Mon Apr 10 19:20:27 UTC 2017
Hi All, a few comments on the current draft of the HEART Profile for
OAuth 2.0:
- Section 2.1.3.1: there is a reference to Section 2.1.4 for keys;
should this reference 2.1.5 instead?
- Section 2.1.3.2: The section states that native apps may use a common
client_id + PKCE. Lock-out mechanisms (temporary or permanent) at an AS
triggered by repeated failed client authentication attempts may be based
on client_id. It seems like the use of a common client_id opens up the
possibility of one compromised or misconfigured native app instance
locking out all instances of that app at a particular AS. I agree that
adding PKCE support is a good idea, but I think per instance client_id
should be required whether or not PKCE is used, and that the option to
use a common client_id be removed.
- Section 2.1.4: The section states that native apps MUST receive a
unique per instance client_id. This conflicts with the choice to use a
common client_id + PKCE currently permitted in 2.1.3.2.
- Section 4.2: Typo "acceept"
Luis
Luis C. Maas III, M.D., Ph.D.
CTO
EMR Direct
www.emrdirect.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-heart/attachments/20170410/b071adb0/attachment.html>
More information about the Openid-specs-heart
mailing list