From 278397dd6536fb7d1c1466807e52e725d6d58b26 Mon Sep 17 00:00:00 2001 From: Gabriel Corona Date: Thu, 21 Nov 2024 11:13:18 +0100 Subject: [PATCH] V51, Add requirements about user consent (#2397) * V51, Add requirements about user consent * updates for consent requirements * rm consent management at the moment --------- Co-authored-by: Gabriel Corona Co-authored-by: Elar Lang <47597707+elarlang@users.noreply.github.com> --- 5.0/en/0x51-V51-OAuth2.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/5.0/en/0x51-V51-OAuth2.md b/5.0/en/0x51-V51-OAuth2.md index 2eef7938a3..cdc135192d 100644 --- a/5.0/en/0x51-V51-OAuth2.md +++ b/5.0/en/0x51-V51-OAuth2.md @@ -37,6 +37,8 @@ Given the complexity of the area, it is vitally important for a secure OAuth or | **51.2.13** | [ADDED] Verify that refresh tokens have an absolute expiration, including if sliding refresh token expiration is applied. | ✓ | ✓ | ✓ | | **51.2.14** | [MODIFIED, MOVED FROM 3.5.1] Verify that refresh tokens and reference access tokens can be revoked by an authorized user. It can be achieved by using the authorization server user interface, or by a client that is using authorization server APIs for revocation. | | ✓ | ✓ | | **51.2.15** | [ADDED] Verify that, for a server-side client (which is not executed on the end-user device), the authorization server ensures that the 'authorization_details' parameter value is from the client backend and that the user has not tampered with it. For example by requiring the usage of pushed authorization request (PAR) or JWT-secured authorization request (JAR). | | | ✓ | +| **51.2.16** | [ADDED] Verify that the authorization server ensures that the user consents to each authorization request. If the identity of the client cannot be assured, the authorization server must always explicitly prompt the user for consent. | | ✓ | ✓ | +| **51.2.17** | [ADDED] Verify that when the authorization server prompts for user consent, it presents sufficient and clear information about what is being consented to. When applicable this should include the nature of the requested authorizations (typically based on scope, resource server, rich authorization requests (RAR) authorization details), the identity of the authorized application and the lifetime of these authorizations. | | ✓ | ✓ | ## V51.3 OAuth Client