...
For OAuth, ensure the relying party receiving the user's ID in the last protocol step is the same as the relying party that the access token was granted to.
Noncompliant Code Example
This noncompliant code example shows an application that
Code Block | ||
---|---|---|
| ||
TBD |
Compliant Solution
In this compliant solution the application
Code Block | ||
---|---|---|
| ||
TBD |
Risk Assessment
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD26-J | Medium | Probable | Medium |
|
|
Automated Detection
Bibliography
[Chen OAuth 2014] | OAuth Demystified for Mobile Application Developers |
Internet Engineering Task Force (IETF). OAuth core 1.0 revision a. http://oauth.net/core/1.0a/. | |
Internet Engineering Task Force (IETF). The OAuth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749. |
...