Marius, > As a side note, I was thinking more about the suggested "sites" > parameter. In practice that sites where an access token can be used is > limited to what protected resources can decrypt or verify the token. > An access token cannot be really used at the wrong site. A "sites" > parameter could be a nice hint for the client, but not a security > requirement.
A bearer token that goes to the wrong site can be used -- to access the protected resource on the right site -- so this is a total security failure, not a nice hint. If the wrong site uses HTTP then the token is also exposed on the network -- so it has just been broadcast in the clear if you are using public wifi. Again a security failure. -- James Manger _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
