You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// The authorization server MUST authenticate the client whenever
55
+
// possible.
56
+
it('should authenticate the client whenever possible. (untestable?)',function(){
57
+
58
+
});
59
+
60
+
// If the authorization server cannot authenticate the client
61
+
// due to the client's nature, the authorization server MUST require the
62
+
// registration of any redirection URI used for receiving authorization
63
+
// responses and SHOULD utilize other means to protect resource owners
64
+
// from such potentially malicious clients. For example, the
65
+
// authorization server can engage the resource owner to assist in
66
+
// identifying the client and its origin.
67
+
it('should require the registration of any redirection URI used for receiving authorization responses.',function(){
68
+
69
+
});
70
+
71
+
// The authorization server SHOULD enforce explicit resource owner
72
+
// authentication and provide the resource owner with information about
73
+
// the client and the requested authorization scope and lifetime. It is
74
+
// up to the resource owner to review the information in the context of
75
+
// the current client and to authorize or deny the request.
76
+
it('should provide the resource owner with information about the client and the requested authorization scope and lifetime.',function(){
77
+
78
+
});
79
+
80
+
// The authorization server SHOULD NOT process repeated authorization
81
+
// requests automatically (without active resource owner interaction)
82
+
// without authenticating the client or relying on other measures to
83
+
// ensure that the repeated request comes from the original client and
84
+
// not an impersonator.
85
+
it('should NOT process repeated authorization requests automatically without authenticating the client to ensure that the repeated request comes from the original client and not an impersonator.',function(){
// Access token credentials (as well as any confidential access token
96
+
// attributes) MUST be kept confidential in transit and storage, and
97
+
// only shared among the authorization server, the resource servers the
98
+
// access token is valid for, and the client to whom the access token is
99
+
// issued...
100
+
it('should keep access token credentials (and it\'s attributes) confidential in transit and at rest',function(){
101
+
102
+
});
103
+
104
+
105
+
// ...Access token credentials MUST only be transmitted using TLS
106
+
// as described in Section 1.6 with server authentication as defined by
107
+
// [RFC2818].
108
+
it('should transmit access token credentials using TLS (untestable?)',function(){
109
+
110
+
});
111
+
112
+
// When using the implicit grant type, the access token is transmitted
113
+
// in the URI fragment, which can expose it to unauthorized parties.
114
+
115
+
// The authorization server MUST ensure that access tokens cannot be
116
+
// generated, modified, or guessed to produce valid access tokens by
117
+
// unauthorized parties.
118
+
it('should ensure that access tokens cannot be generated, modified, or guessed to produce valid access tokens by unauthorized parties when using implicit grant type',function(){
119
+
120
+
});
121
+
122
+
// The client SHOULD request access tokens with the minimal scope
123
+
// necessary. The authorization server SHOULD take the client identity
124
+
// into account when choosing how to honor the requested scope and MAY
125
+
// issue an access token with less rights than requested.
126
+
it('should issue access token with less rights than requested by client identity and scope',function(){
// The transmission of authorization codes SHOULD be made over a secure
189
+
// channel, and the client SHOULD require the use of TLS with its
190
+
// redirection URI if the URI identifies a network resource. Since
191
+
// authorization codes are transmitted via user-agent redirections, they
192
+
// could potentially be disclosed through user-agent history and HTTP
193
+
// referrer headers.
194
+
it('should transmit authorization code over a secure channel.',function(){
195
+
196
+
});
197
+
198
+
// Authorization codes operate as plaintext bearer credentials, used to
199
+
// verify that the resource owner who granted authorization at the
200
+
// authorization server is the same resource owner returning to the
201
+
// client to complete the process. Therefore, if the client relies on
202
+
// the authorization code for its own resource owner authentication, the
203
+
// client redirection endpoint MUST require the use of TLS.
204
+
it('should require the use of TLS with its redirection URI.',function(){
205
+
206
+
});
207
+
208
+
// Authorization codes MUST be short lived and single-use...
209
+
it('should have short lived authorization code',function(){
210
+
211
+
});
212
+
213
+
it('should have singe-use authorization code',function(){
214
+
215
+
});
216
+
217
+
// If the authorization server observes multiple attempts to exchange an
218
+
// authorization code for an access token, the authorization server
219
+
// SHOULD attempt to revoke all access tokens already granted based on
220
+
// the compromised authorization code.
221
+
it('should revoke all access tokens granted when multiple authorization code for an access token exchanges have been attempted (I assume this means failed failed)',function(){
222
+
223
+
});
224
+
225
+
// If the client can be authenticated, the authorization servers MUST
226
+
// authenticate the client and ensure that the authorization code was
227
+
// issued to the same client.
228
+
it('should authenticate the client and issue an authorization code to that same client',function(){
229
+
230
+
});
231
+
232
+
});
233
+
234
+
describe('10.6 - Authorization Code Redirection URI Manipulation',function(){
0 commit comments