Hi all, I'm reading through the latest draft of the Security BCP, and noticed something I was hoping to get some clarification on. From the latest draft -14 section 2.1.2:
In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or other response types issuing access tokens in the authorization response, unless access token injection in the authorization response is prevented and the aforementioned token leakage vectors are mitigated.
My understanding is that there is no way to prevent access token injection in the authorization response with just OAuth. It's only once you introduce OpenID Connect that it becomes possible to prevent ID token injection. If my understanding is correct, then it seems like it would be more appropriate for the security BCP to say something like "access tokens MUST NOT be issued via the implicit grant." That would technically still leave open the possibility of using the hybrid response types in OIDC as long as the access token is delivered via the authorization code exchange, but clarifies that there is no way to protect the delivering access tokens via the implicit grant.
So my question for the list is am I forgetting about some way to prevent this attack in OAuth? If not, can we rephrase this section of the Security BCP to better clarify the intent here?
