"Redirect URI" below means HTTP response code 302, right? Will not browser follow?
----- Original Message ---- From: Marius Scurtescu <mscurte...@google.com> To: Oleg Gryb <o...@gryb.info> Cc: oauth@ietf.org Sent: Sun, August 1, 2010 11:52:22 AM Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? On Sun, Aug 1, 2010 at 10:59 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) > User Agent profile is not very secure. Please let me know where/if I'm > wrong. > > Let us take a look at step C in Figure 5 : > > "Redirect URI with access token in fragment." > > It's written everywhere that one should not really put secrets to a > URL. Access token and that URL are all I need to get an access to the > protected resource, right? > > Let us assume that somebody copy/pasted that URL from a web server's > access log file or from a Proxy log file and then replayed it 1000 > times. The fragment is not sent by the browser to the server, so it cannot end up in log files. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
