-
Notifications
You must be signed in to change notification settings - Fork 0
Implementation instructions
Client Password https://tools.ietf.org/html/rfc6749#section-2.3.1
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.
Use High Entropy for Secrets https://tools.ietf.org/html/rfc6819#section-5.1.4.2.2
Since this client authentication method involves a password, the authorization server MUST protect any endpoint utilizing it against brute force attacks.
When creating secrets not intended for usage by human users (e.g., client secrets or token handles), the authorization server should include a reasonable level of entropy in order to mitigate the risk of guessing attacks. The token value should be >=128 bits long and constructed from a cryptographically strong random or pseudo-random number sequence (see [RFC4086] for best current practice) generated by the authorization server.