Overview#

Explicit Endpoint

Research such as the ISO BASIN Document points out that it is a good practice to explicitly state the intended interaction endpoints and the message position in the sequence in a tamper evident manner so that the intent of the initiator is unambiguous.

OAuth 2.0 Endpoints#

The endpoints in OAuth 2.0 that come into question are :

• Protected Resources Endpoints
• Authorization Endpoint ("authorization_endpoint")
• Redirection URI ("redirect_uri")
• Token Endpoint ("token_endpoint")

Further, if dynamic discovery ([OAuth 2.0 Authorization Server Metadata]]) is used, then the metadata related endpoints also come into question.

In RFC 6749, while Redirection URI is included, others are not included in the Authorization Request. As the result, the same applies to Authorization Request Object.

The lack of the link among those endpoints are sited as the cause of Cross-Phase Attacks introduced in FETT. An extension specification should be created as a measure to address the risk.

More Information#

There might be more information for this subject on one of the following:

• Best Practices OpenID Connect
• OAuth 2.0 JWT Secured Authorization Request
• OAuth 2.0 Security Considerations