6819_4_3_5

Obtaining Client Secret by Online Guessing

An attacker may try to guess valid 'client_id'/secret pairs.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.3.5)

Mitigations

This threat is considered fully mitigated if all the test cases from one of the following test sets succeed.

• Set #1
• TokenEndpoint.ClientSecretEntropyMinReqTest
• TokenEndpoint.ClientSecretEntropySugReqTest
• Set #2
• TokenEndpoint.IsAsymmetricClientAuthenticationUsedTest

Back to the threat overview