Standards Document info

RFC6819

OAuth 2.0 Threat Model and Security Considerations

This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol. This document is an officially published standard.

Full text: https://tools.ietf.org/html/rfc6819

Countermeasures

This document introduces a number of security countermeasures for OAuth. The OAuch tests related to these countermeasures are:

ApiEndpoint.IsHttpsRequiredTest
ApiEndpoint.HasValidCertificateTest
ApiEndpoint.IsModernTlsSupportedTest
AuthEndpoint.HasValidCertificateTest
AuthEndpoint.IsModernTlsSupportedTest
AuthEndpoint.IsHttpsRequiredTest
TokenEndpoint.HasValidCertificateTest
TokenEndpoint.IsModernTlsSupportedTest
TokenEndpoint.IsHttpsRequiredTest
TokenEndpoint.ClientSecretEntropyMinReqTest
Tokens.AuthorizationCodeEntropyMinReqTest
Tokens.AccessTokenEntropyMinReqTest
Tokens.RefreshTokenEntropyMinReqTest
Tokens.TokenTimeoutTest
TokenEndpoint.MultipleCodeExchangesTest
TokenEndpoint.TokenValidAfterMultiExchangeTest
TokenEndpoint.RefreshTokenValidAfterMultiExchangeTest
TokenEndpoint.IsRefreshAuthenticationRequiredTest
TokenEndpoint.IsRefreshBoundToClientTest
TokenEndpoint.RefreshTokenRevokedAfterUseTest
AuthEndpoint.HasFrameOptionsTest
TokenEndpoint.IsClientAuthenticationRequiredTest
AuthEndpoint.RequireUserConsentTest
AuthEndpoint.RedirectUriFullyMatchedTest
AuthEndpoint.CodePollutionTest
AuthEndpoint.RedirectUriPathMatchedTest
AuthEndpoint.RedirectUriConfusionTest
AuthEndpoint.InvalidRedirectTest
TokenEndpoint.IsCodeBoundToClientTest
TokenEndpoint.RedirectUriCheckedTest
TokenEndpoint.IsBasicAuthenticationSupportedTest
DocumentSupport.RFC7009SupportedTest

Back to the documents overview