MSC09-J. For OAuth, ensure (a) [relying party receiving user's ID in last step] is same as (b) [relying party the access token was granted to].
Under Construction
This guideline is under construction.
For OAuth, ensure the relying party receiving the user's ID in the last protocol step is the same as the relying party that the access token was granted to .
Noncompliant Code Example
This noncompliant code example shows an application that
Non-compliant code
TBD
Compliant Solution
In this compliant solution the application
Compliant code
TBD
Risk Assessment
| Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
| DRD26-J | Medium | Probable | No | No | P4 | L3 |
Automated Detection
Bibliography
| [Chen 2014] | OAuth Demystified for Mobile Application Developers |
| [IETF OAuth1.0a] | Internet Engineering Task Force (IETF). OAuth core 1.0 revision a. http://oauth.net/core/1.0a/ . |
| [IETF OAuth2.0] | Internet Engineering Task Force (IETF). The OAuth 2.0 authorization framework. http://tools.ietf.org/html/rfc6749 . |
