Technical Summary
Relevant content can frequently be found in the abstract
and/or introduction of the document. If not, this may be
an indication that there are deficiencies in the abstract
or introduction.
This document gives additional security considerations for OAuth,
beyond those in the OAuth specification, based on a comprehensive
threat model for the OAuth 2.0 Protocol.
The document:
o Documents any assumptions and scope considered when creating the
threat model.
o Describes the security features in-built into the OAuth protocol
and how they are intended to thwart attacks.
o Gives a comprehensive threat model for OAuth and describes the
respective counter measures to thwart those threats.
Working Group Summary
Was there anything in WG process that is worth noting? For
example, was there controversy about particular points or
were there decisions where the consensus was particularly
rough?
This document began life as a working document for the development of
a Security Considerations section of the base OAuth protocol document.
It quickly became far too large for that purpose, and at IETF 80 a
design team was set up to extract the key points for a proper Security
Considerations section, leaving the remainder for this Informational
document.
Throughout the development, the goal has been to include as much as
possible. There's been some discussion of whether this has resulted
in a document that's too long to be practical. And that concern has
resulted in some pushback at the end of its life cycle, resisting the
addition of new material that seemed non-specific to OAuth. There
have nevertheless been some compromises made, as some participants
considered it important in a few cases to highlight threats that apply
to services in general, but that might be falsely construed either as
not applying to OAuth, or as being mitigated in some way by OAuth.
Document Quality
Are there existing implementations of the protocol? Have a
significant number of vendors indicated their plan to
implement the specification? Are there any reviewers that
merit special mention as having done a thorough review,
e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If
there was a MIB Doctor, Media Type or other expert review,
what was its course (briefly)? In the case of a Media Type
review, on what date was the request posted?
In the end, we have a document that's thorough and well written, and
that represents the consensus of the working group, with a liberal
view toward inclusion. The authors have already noted, in the
acknowledgments, key contributors and reviewers.
Personnel
Barry Leiba is the document shepherd.
Stephen Farrell is the responsible AD.
RFC Editor Note
- Both section 8.1 and 8.2 are called "Informative References"
but 8.1 should be "Normative References" so in both the
TOC and body of the document please change the title
of 8.1 to "Normative References"