Skip to content

Clarify 10.4.16 (v5.0.be-51.4.10) #2974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tghosth opened this issue Apr 17, 2025 · 5 comments
Open

Clarify 10.4.16 (v5.0.be-51.4.10) #2974

tghosth opened this issue Apr 17, 2025 · 5 comments
Labels
3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos V10 (prev V51) Group issues related to OAuth _5.0 - rc1

Comments

@tghosth
Copy link
Collaborator

tghosth commented Apr 17, 2025

In 10.4.16 we currently have the following:

# Description Level #v5.0.be
10.4.16 Verify that the client is confidential and the authorization server requires the use of strong client authentication methods (based on public-key cryptography and resistant to replay attacks), such as mutual TLS (mTLS) or private key JWT ('private_key_jwt'). 3 v5.0.be-51.4.10

It appears that 'private_key_jwt' refers to a specific mode where as mTLS is a more general mechanism. I find that mix a little confusing, could we either refer to a couple of specific modes or a couple of general mechanism @randomstuff?
@tghosth tghosth added 3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos _5.0 - rc1 V10 (prev V51) Group issues related to OAuth labels Apr 17, 2025
@tghosth tghosth mentioned this issue Apr 17, 2025
Merged
@elarlang
Copy link
Collaborator

#2897 ?

@tghosth
Copy link
Collaborator Author

tghosth commented Apr 17, 2025
edited
Loading

doh 🤦‍♂️

It kind of feels like this point got lost so I would be tempted to close #2897 as it got mostly resolved by #2931 and there is just this point remaining. What do you think @elarlang ?

@tghosth tghosth closed this as completed Apr 17, 2025
@tghosth tghosth reopened this Apr 17, 2025
@elarlang elarlang mentioned this issue Apr 17, 2025
Closed
@oleksiidov
Copy link
Contributor

oleksiidov commented Apr 17, 2025
edited
Loading

Colleagues, I have some doubts regarding "confidential" in context of this requirement.
And to align mentioning of authentication mechanisms, I would like to stick to not go into details here.
Should we put this requirement in following way:

Verify that the client is authenticated and the authorization server requires the use of strong client authentication methods (based on public-key cryptography and resistant to replay attacks), such as mutual TLS (mTLS) or private key JWT.

Regarding capitalization we have discussion in #1875 .
Potentially it could be be put as "Mutual TLS (mTLS) or Private Key JWT", as it used in OAuth: https://oauth.net/private-key-jwt. But as agreed, we should wait for approach on capitalization and then make change, if needed.

@elarlang
Copy link
Collaborator

"confidential client" is specific term for OAuth, it is a client type (public client and confidential client), please see the chapter text.

@oleksiidov
Copy link
Contributor

oleksiidov commented Apr 18, 2025
edited
Loading

@elarlang thank you for explanation! This point is clear for me now.
And I noticed that this capitalization topic of m(M)utual TLS (mTLS)) is actual for other requirements in this chapter -- different approach used in requirements description. Will add this to (#1875 (comment)) also.

randomstuff pushed a commit to randomstuff/ASVS that referenced this issue Apr 18, 2025
@elarlang
update 5.1.1 / v5.0.be-1.12.3, closes OWASP#2974 (OWASP#2967)
b8499e1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3) awaiting proposal There is some discussion in issue and reach to some results but it's not concluded with clear propos V10 (prev V51) Group issues related to OAuth _5.0 - rc1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tghosth @elarlang @oleksiidov