…hreats are discussed in the OAuth 2.0 Threat Model and Security Considerations [RFC6819], continued exploitation demonstrates a need for more specific recommendations, easier to implement mitigations, and more defense in depth. * OAuth is being used in environments with higher se…

… of the OAuth core specification [RFC6749] and the OAuth threat model document [RFC6819]. Malicious clients could attempt to use the new endpoint to launch denial-of-service attacks on the authorization server. Appropriate countermeasures, which should be in place for the token e…

…of any other OAuth token-defining specifications in use, along with the entire [RFC6819] specification, and apply the countermeasures described therein. As well, since this specification builds on [OAuth-resource-reg] , implementers should also take into account the security cons…

… the OAuth core specification [ RFC6749 ] and the OAuth threat model document [ RFC6819 ]. Malicious clients could attempt to use the new endpoint to launch denial-of-service attacks on the authorization server. Appropriate countermeasures, which should be in place for the token …

…h 2.0 Core [ RFC6749 ] and OAuth 2.0 Threat Model and Security Considerations [ RFC6819 ], the additional considerations apply. 7.1 Differing User Profile URLs Clients will initially prompt the user for their profile URL in order to discover the necessary endpoints to perform aut…

…the authorization server, but a malicious third party (see Section 4.4.1.8 of [ RFC6819 for details). Clients that have ensured that the authorization server supports the code_challenge parameter MAY rely on the CSRF protection provided by that mechanism. In OpenID Connect flows,…

… in OAuth 2.0 deployments. While the OAuth 2.0 threat model ( Section 4.4.1 of [RFC6819] ) describes mitigation techniques, they are, unfortunately, not applicable since they rely on a per-client instance secret or a per-client instance redirect URI. To mitigate this attack, this…

…h 2.0 Core [ RFC6749 ] and OAuth 2.0 Threat Model and Security Considerations [ RFC6819 ], the additional considerations apply. 10.1 Preventing Phishing and Redirect Attacks Authorization servers SHOULD fetch the client_id provided in the authentication or authorization request i…