This guideline is under construction. |
For OAuth, ensure the relying party receiving the user's ID in the last protocol step is the same as the relying party that the access token was granted to.
This noncompliant code example shows an application that
TBD |
In this compliant solution the application
TBD |
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DRD26-J | Medium | Probable | Medium |
|
|
[Chen 2014] | OAuth Demystified for Mobile Application Developers |
[IETF OAuth1.0a] | Internet Engineering Task Force (IETF). OAuth core 1.0 revision a. http://oauth.net/core/1.0a/. |
[IETF OAuth2.0] | Internet Engineering Task Force (IETF). The OAuth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749. |