Releases · oauth-wg/oauth-cross-device-security

Introduced normative SHOULD, RECOMMENDED and MAY when applied to actions the Authorization Server, Resource Server or Client may implement.
Added User Education as a standalone mitigation.
Added Maryam Mehrnezhad, Marco Pernpruner and Giada Sciarretta to the contributors list.
Added Request Binding with Out-of-Band Data as an additional mitigation (feedback received at OSW 2023)
Adopted the OpenID Foundation terminology from [CIBA] and changed Initiating Device to Consumption Device
Added Fake Helpdesk and Consent Request Overload examples (new variations of attacks observed in the wild)
Replaced "Authenticated Flow" mitigation name with "Authenticate-then-Intitiate"
Added Cross-Device Session Transfer pattern (feedback received at OSW 2023)

What's Changed

Capitalise SHOULD, MAY and RECOMMENDED where appropriate by @PieterKas in #75
Fix punctuation, typos and hyphenation by @marcopernpruner in #81
Inconsistency on "Authorization Device" by @marcopernpruner in #83
Added User Education as an explicit mitigations by @PieterKas in #88
Additional UX mitigation by @PieterKas in #90
Additional mitigation by @PieterKas in #91
Added contributors by @PieterKas in #102
Added Out-of-Band User Entered Data Mitigation by @PieterKas in #101
Refined the trusted devices section. by @PieterKas in #103
Changed Terminology from Initiating Device to Consumption Device by @PieterKas in #106
Fix header level for Request Binding with Out-of-Band Data by @marcopernpruner in #108
Added Fake Helpdesk attack example by @PieterKas in #110
Added Example B.9 by @PieterKas in #109
Adding support for session transfer by @PieterKas in #112
Alternative name for Authenticated Flow by @PieterKas in #111
Restructure User Experience mitigation by @marcopernpruner in #107
Editorial changes in intro and concepts section by @danielfett in #114
Additional editorial changes by @danielfett in #115
Fix editorial issues by @marcopernpruner in #113