Common 2

Recon

/.well-known/oauth-authorization-server
/.well-known/openid-configuration
/.well-known/jwks.json

Tricks

CSRF-style attack on clients

plenty "return_url" tricks

Если видим какие-то отклонения от проверок и определенных последовательностей, то ищем как это можно использовать в документах RFC 6819 и DRAFT: OAuth Security BCP.

RFC

RFC 6819: Threat Model and Security Considerations https://tools.ietf.org/html/rfc6819

RFC 7662: Token Introspection https://tools.ietf.org/html/rfc7662

DRAFT: Token Binding https://tools.ietf.org/html/draft-ietf-oauth-token-binding

DRAFT: OAuth Security BCP https://tools.ietf.org/html/draft-ietf-oauth-security-topics

PreviousCommon 1 NextOpenID Connect (OIDC)

Last updated 2 years ago