discussion: OAuth - using OAuth just for authentication #1966
Labels
1) Discussion ongoing
Issue is opened and assigned but no clear proposal yet
Community needed
This issue will not be progressed without community input. Will be closed if stale.
V51
Group issues related to OAuth
_5.0 - prep
This needs to be addressed to prepare 5.0
spin-off from #1916 "Discussion/Proposal 4"
There is a clear trend of overengineering using OAuth. One of them is using OAuth only for providing authentication. In this case, directly OIDC should be used without OAuth overhead.
Also addressed here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-7.1
The question is - should we watch it only as unnecessary overengineering, or as a security problem to open up a new set of attack vectors.
--
Feedback from @tghosth in #1916 (comment)
The text was updated successfully, but these errors were encountered: