libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

[docs] Align OAuth 2.0 Security Best Current Practice links (#24706)

Browse source 
Closes keycloak/keycloak#24705

Signed-off-by: Joshua Sorah <jsorah@gmail.com>
This commit is contained in:
Joshua Sorah 2024-02-13 07:53:56 -05:00 committed by GitHub
parent 5242f5fcb6
commit b81233a4af
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docs/documentation/securing_apps/topics/oidc/supported-grant-types.adoc
View file

@ -28,14 +28,14 @@ browser history. You can somewhat mitigate this problem by using short expiratio
For more details, see the https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth[Implicit Flow] in the OpenID Connect specification.
Per current https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#name-implicit-grant[OAuth 2.0 Security Best Current Practice], this flow should not be used.
Per current https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-implicit-grant[OAuth 2.0 Security Best Current Practice], this flow should not be used.
This flow is removed from the future https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09[OAuth 2.1 specification].
[[_resource_owner_password_credentials_flow]]
==== Resource Owner Password Credentials
Resource Owner Password Credentials, referred to as Direct Grant in {project_name}, allows exchanging user credentials for tokens.
Per current https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-23#name-resource-owner-password-cre[OAuth 2.0 Security Best Practices],
Per current https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-resource-owner-password-cre[OAuth 2.0 Security Best Practices],
this flow should not be used, preferring alternative methods such as <<Device Authorization Grant>> or <<Authorization code>>.
The limitations of using this flow include:

2
docs/documentation/server_admin/topics/threat.adoc
View file

@ -2,4 +2,4 @@
[[mitigating_security_threats]]
== Mitigating security threats
Security vulnerabilities exist in any authentication server. See the Internet Engineering Task Force's (IETF) https://datatracker.ietf.org/doc/html/rfc6819[OAuth 2.0 Threat Model] and the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-15[OAuth 2.0 Security Best Current Practice] for more information.
Security vulnerabilities exist in any authentication server. See the Internet Engineering Task Force's (IETF) https://datatracker.ietf.org/doc/html/rfc6819[OAuth 2.0 Threat Model] and the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics[OAuth 2.0 Security Best Current Practice] for more information.