On Mon, May 10, 2010 at 4:46 PM, Manger, James H <james.h.man...@team.telstra.com> wrote: > Marius, > >> As a side note, I was thinking more about the suggested "sites" >> parameter. In practice that sites where an access token can be used is >> limited to what protected resources can decrypt or verify the token. >> An access token cannot be really used at the wrong site. A "sites" >> parameter could be a nice hint for the client, but not a security >> requirement. > > > A bearer token that goes to the wrong site can be used -- to access the > protected resource on the right site -- so this is a total security failure, > not a nice hint.
Yes, you are right. I was thinking about information leak from the token. But then again, how does the client end up making a request to the wrong site? > If the wrong site uses HTTP then the token is also exposed on the network -- > so it has just been broadcast in the clear if you are using public wifi. > Again a security failure. Sure, but the "sites" parameter does not help in these cases. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
