I was reading the specifications, mainly the new related to the security issues.
One thing is pointed out in the security summary is related to the fact that the token should not be in the URL. So, here come some of my doubts on the the user agent flow, where it is set on the URL fragment. Even more, if working only on the client side, I suppose I should save the token somewhere and the cookie, secure one, should be the option. There should also be the possibility to save it on a JavaScript variable, but this means I'll only use AJAX style web page definition (no reloads). If possible, I would love to have some clarifications on the the user agent flow security definition. As far I've searched on the web several project do not use it because they think "its not secure", so I would love to understand more about. On Thu, Dec 2, 2010 at 8:35 AM, Mike Jones <michael.jo...@microsoft.com>wrote: > Draft -01 of the OAuth 2.0 Bearer Token specification is now available. > This version is intended to accompany OAuth 2.0 draft > -11<http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-11.txt>. > This draft is based upon the September 3rd preliminary OAuth 2.0 draft by > Eran Hammer-Lahav, with input from David Recordon and several others. It > includes an extensive Security Considerations section, for which Hannes > Tschofenig gets significant credit. > > > > The draft is available at these locations: > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.txt > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.xml > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.html > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.txt > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.xml > > http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion > repository, with html, txt, and html versions available) > > > > If any of you believe that you should be added to the Acknowledgments in > Appendix A, please drop me a note and I’ll be glad to add you. > > > > -- Mike > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- Andrea Reginato
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
