I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10)
User Agent profile is not very secure. Please let me know where/if I'm
wrong.
Let us take a look at step C in Figure 5 :
"Redirect URI with access token in fragment."
It's written everywhere that one should not really put secrets to a
URL. Access token and that URL are all I need to get an access to the
protected resource, right?
Let us assume that somebody copy/pasted that URL from a web server's
access log file or from a Proxy log file and then replayed it 1000
times.
If an action behind the protected resource was to buy a book at
Amazon, does it mean that a victim will be charged for 1000 books?
Also, is there any protection against CSRF or replay attacks in this case?
Thanks,
Oleg.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
