Open
Description
Provide OAuth 2.1 compatibility option
Problem
OAuth 2.1 wraps up a bunch of different security best practices. It'd be nice to have a checkbox, perhaps on the tenant, which would set up FusionAuth to be Oauth 2.1 compatible.
From the draft, section 10 does a good job of outlining the major differences:
- require PKCE
- disable implicit and password grants
- disallow refresh tokens which are neither sender constrained nor one time use
- no option for allowing non exact matches of redirect_uris (which would rule out Allow dynamic redirect URI for OAuth #437 )
Solution
I'd like a checkbox on the tenant (or maybe the system? or maybe the application?) with a title: "Enable OAuth2.1 compatability".
Alternatives/workarounds
Do this manually.
Additional context
Full draft here: https://tools.ietf.org/html/draft-ietf-oauth-v2-1
Related
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.