I'll need to check if it's true for dynamic redirects that use Location header, but right now I can provide an example where JavaScripts are used for redirects in which case access token is send in a URL.
Let us assume that you've implemented an endpoint on your authz server as a JSP that populates access token dynamically: <html> <body onload="window.location.href = 'http://www.google.com#access_token=<%=var_with_token%>'"> </body> </html> After JSP container expanded the variable, the response that browser will see looks as follows: <html> <body onload="window.location.href = 'http://www.google.com#access_token=123'"> </body> </html> To test the page above, I put it to my local Apache web server and then accessed it using Iceweasel browser. I've used HTTP Live Headers to see all redirects. The trace is below. Please let me know what I'm missing. The last GET has access token in it. http://localhost/red.html GET /red.html HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009032018 Mozilla/3.0.12 (Debian-3.0.12-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive If-Modified-Since: Sun, 01 Aug 2010 23:15:07 GMT If-None-Match: "dfa53-67-48ccb4133b4c0"-gzip HTTP/1.x 200 OK Date: Sun, 01 Aug 2010 23:16:17 GMT Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny2 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_perl/2.0.4 Perl/v5.10.0 Last-Modified: Sun, 01 Aug 2010 23:15:07 GMT Etag: "dfa53-67-48ccb4133b4c0"-gzip Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 110 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html ---------------------------------------------------------- http://www.google.com/#access_token=123 GET / HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009032018 Mozilla/3.0.12 (Debian-3.0.12-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/red.html Cookie: PREF=ID=0f1fa5297d3f9d6a:U=f5ef3a217b0cd5bf:TM=1277864220:LM=1278796823:GM=1:S=j8uhrMH9ofdi5YZo; NID=37=J2gm7WZsItUM0qhpdyYDiOyE7XuO0tWvSWtOcBpgWZ-Y3Rrb6XJC46TcHkHOqiMUF1ClrcG9JZQ9l0BN8eJUinfWIgsUEw7NuCwphBhwjO1odRifOKngacoHcy83E1wd; ; SID=DQAAAHcAAADE79x4u_-iBaW7H0MKg1k42z-x8maC4Cm3nUsu68UmsWtkeKZ1cRpG9_YxNhRNeSqGpeRGwyxyMUFtyLBEtfpwt76t_RgE0BTQRig2NqD82bmbcf_CTC0Eu-7HjxNw_n6cW1gkWrUPS46aCzkeIDHAJHDMoVOrrmkVe3lcOGZ1ZQ; HSID=ASoUGayYF7At1XErl ----- Original Message ---- From: Marius Scurtescu <mscurte...@google.com> To: Bouiaw <bou...@gmail.com> Cc: Oleg Gryb <o...@gryb.info>; oauth@ietf.org Sent: Sun, August 1, 2010 1:03:36 PM Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? On Sun, Aug 1, 2010 at 12:22 PM, Bouiaw <bou...@gmail.com> wrote: > Does the redirect with fragment in URL without sending it to the > server have been tested with all main browsers ? AFAIK this is how all major browsers behave. Does anyone know otherwise? Browsers that don't respect this? Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
