Hey James, Do you have a specific example in mind where this either has been an issue or will be an issue? Most client implementations I've seen of OAuth (and technologies like OAuth) have a strong binding between the access token(s), site they were issued by, and user they belong to. So I haven't heard of this being a problem in the wild...
--David On Thu, May 6, 2010 at 4:57 PM, Manger, James H < james.h.man...@team.telstra.com> wrote: > The OAuth2 protocol does not indicate where a token can be used. > > It needs to do so because if a client app sends a token to the wrong site > it destroys the security. > > > > I suggest another field in the JSON token response: > > "sites": ["https://api.example.com";, "http://photo.example.com:8080";] > > > > It would be a list of sites where the token can be used, specified by > scheme://host[:port]. > > > > The default value for the “sites” field could be the token endpoint site > (or the authorization endpoint site if a token endpoint isn’t used). > > For instance, if Facebook’s new API uses https://graph.facebook.com for > all resources, tokens, and authorizations it could omit the “sites” field. > > > > > > P.S. I suggested this last month > http://www.ietf.org/mail-archive/web/oauth/current/msg01920.html, though > I mixed in additional ideas for formats and media type that are probable > best covered in their own treads. > > > > > > -- > > James Manger > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
