On Sun, Aug 1, 2010 at 10:59 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) > User Agent profile is not very secure. Please let me know where/if I'm > wrong. > > Let us take a look at step C in Figure 5 : > > "Redirect URI with access token in fragment." > > It's written everywhere that one should not really put secrets to a > URL. Access token and that URL are all I need to get an access to the > protected resource, right? > > Let us assume that somebody copy/pasted that URL from a web server's > access log file or from a Proxy log file and then replayed it 1000 > times.
The fragment is not sent by the browser to the server, so it cannot end up in log files. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
