rfc – Page 2 – WindowsTechs.com

Why is PKCE "RECOMMENDED" for authorization codes with confidential clients?

Posted on October 7, 2021 by Matthew Rodatus

Section 2.1.1 of IETF’s OAuth 2.0 Security Best Current Practice begins as follows:

Clients MUST prevent injection (replay) of authorization codes into
the authorization response by attackers. Public clients MUST use
PKCE [RFC7636] to th… Continue reading Why is PKCE "RECOMMENDED" for authorization codes with confidential clients?→

Is a consent screen in an OAuth 2.0 implementation optional

Posted on July 24, 2021 by Ash

I’ve read through RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749
The only mention of consent is in this bit:
The authorization server MUST implement CSRF protection for its
authorization endpoint and ensure that a malicious client… Continue reading Is a consent screen in an OAuth 2.0 implementation optional→

IETF RFC 4041 – Requirements for Morality Sections in Routing Area Drafts

Posted on April 8, 2021 by Marc Handelman

Network Working Group
A. Farrel
Request for Comments: 4041
Old Dog Consulting
Category: Informational
1 April 2005
Requirements for Morality Sect… Continue reading IETF RFC 4041 – Requirements for Morality Sections in Routing Area Drafts→

Protocol Police: The RFC

Posted on April 7, 2021 by Marc Handelman

Independent Submission G. Grover
Request for Comments: 8962Category: Informational N. ten Oever
ISSN: 2070-1721 … Continue reading Protocol Police: The RFC→

How to convert 64byte openssh-key-v1 to the resulting 32byte ed25519 private key

Posted on February 19, 2021 by Richard Burkhardt

I wrote an openssh-key-v1 Protocol reader and extracted all fields according to the format definition:
"openssh-key-v1"0x00 # NULL-terminated "Auth Magic" string
32-bit length, "none" # ciphername lengt… Continue reading How to convert 64byte openssh-key-v1 to the resulting 32byte ed25519 private key→

Why does RFC5816 not change the version number defined in RFC3161

Posted on February 8, 2021 by matthias_buehlmann

So, RFC5816 https://www.ietf.org/rfc/rfc5816.txt changes the specification of RFC3161 https://www.ietf.org/rfc/rfc3161.txt
RFC3161 specifies the ‘version’ field in TSTInfo to be set to 1
Why does RFC5816 not change the value of this field?… Continue reading Why does RFC5816 not change the version number defined in RFC3161→

What header & footer to use when storing RFC3161 token in PEM format

Posted on February 4, 2021 by matthias_buehlmann

The RFC3161 (https://www.ietf.org/rfc/rfc3161.txt) specification states
3. Transports

There is no mandatory transport mechanism for TSA messages in this
document. The mechanisms described below are optional; additional
optional … Continue reading What header & footer to use when storing RFC3161 token in PEM format→

Benefits of Token Exchange protocol in OAuth 2

Posted on December 25, 2020 by Maro

Beginner question here, I don’t seem to be able to wrap my head around the security benefits of the token exchange protocol as specified by RFC8693. To me it seems like a delegation pattern where a webservice (service A) impersonates the … Continue reading Benefits of Token Exchange protocol in OAuth 2→

Can TLS create PKI for you?

Posted on September 21, 2020 by Jimmy Yang

Suppose A and B want to create TLS secure channel.
But they do not have pre-shared secret, or mutually trust Certificate, How do they do?

Continue reading Can TLS create PKI for you?→

How come RFC7636 (PKCE) stops malicous app doing the same code challenge and get legitimate access to API

Posted on January 15, 2020 by inckka

As per the RFC7636 it stops malicious apps which pretend to be legitimate apps, gaining access to OAuth2.0 protected API’s.

The flow suggests a method of having a runtime level secret which generated from the client and letting the Auth s… Continue reading How come RFC7636 (PKCE) stops malicous app doing the same code challenge and get legitimate access to API→