Marius > ...not sure if this is a problem in real life. > The resource that the client is trying to access should not redirect > to an untrusted resource which is not supposed to receive access tokens.
This is a massive restriction on what a web service can do. It breaks the web if a service cannot redirect to less trusted sites. An service couldn't redirect to a content distribution network (CDN) -- even if using unguessable URIs (ie capabilities) -- without exposing tokens to the CDN. After accepting a secure, authenticated POST a service couldn't return a 303 pointing at an standard (public) response on HTTP -- or the token would be exposed in the clear. Google couldn't offer its "I'm feeling lucky" interface to apps. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
