-
Notifications
You must be signed in to change notification settings - Fork 0
Implementation instructions
Client Registration https://tools.ietf.org/html/rfc6749#section-2
Before initiating the protocol, the client registers with the authorization server. The means through which the client registers with the authorization server are beyond the scope of this specification but typically involve end-user interaction with an HTML registration form.
Client registration does not require a direct interaction between the client and the authorization server. When supported by the authorization server, registration can rely on other means for establishing trust and obtaining the required client properties (e.g., redirection URI, client type). For example, registration can be accomplished using a self-issued or third-party-issued assertion, or by the authorization server performing client discovery using a trusted channel.
When registering a client, the client developer SHALL:
o specify the client type as described in Section 2.1,
o provide its client redirection URIs as described in Section 3.1.2,
and
o include any other information required by the authorization server (e.g., application name, website, description, logo image, the acceptance of legal terms).
Client Password https://tools.ietf.org/html/rfc6749#section-2.3.1
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.
Use High Entropy for Secrets https://tools.ietf.org/html/rfc6819#section-5.1.4.2.2
Since this client authentication method involves a password, the authorization server MUST protect any endpoint utilizing it against brute force attacks.
When creating secrets not intended for usage by human users (e.g., client secrets or token handles), the authorization server should include a reasonable level of entropy in order to mitigate the risk of guessing attacks. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence (see [RFC4086] for best current practice) generated by the authorization server.