From 370efb403f261558faae34211ccfc4742582df9f Mon Sep 17 00:00:00 2001 From: "Dean H. Saxe" Date: Tue, 12 Nov 2024 14:06:11 +0000 Subject: [PATCH] AS and 3rd Party Apps Change to require the authorization service to prevent access by 3rd party apps. --- draft-ietf-oauth-first-party-apps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-oauth-first-party-apps.md b/draft-ietf-oauth-first-party-apps.md index a3a5653..53d3a27 100644 --- a/draft-ietf-oauth-first-party-apps.md +++ b/draft-ietf-oauth-first-party-apps.md @@ -128,7 +128,7 @@ This draft also extends the token response (typically for use in response to a r This specification MUST only be used by first-party applications, which is when the authorization server and application are controlled by the same entity and the user understands them both as the same entity. -This specification MUST NOT be used by third party applications, and the authorization server SHOULD take measures to prevent use by third party applications. (e.g. only enable this grant for certain client IDs, and take measures to authenticate first-party apps when possible.) +This specification MUST NOT be used by third party applications, and the authorization server MUST take measures to prevent use by third party applications. (e.g. only enable this grant for certain client IDs, and take measures to authenticate first-party apps when possible.) Using this specification in scenarios other than those described will lead to unintended security and privacy problems for users and service providers.