Fragments are not allowed in the HTTP request URI and are not transmitted. They are allowed in the Location header which is not an issue.
EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Andrea Reginato Sent: Thursday, December 02, 2010 1:43 AM To: Mike Jones Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 I was reading the specifications, mainly the new related to the security issues. One thing is pointed out in the security summary is related to the fact that the token should not be in the URL. So, here come some of my doubts on the the user agent flow, where it is set on the URL fragment. Even more, if working only on the client side, I suppose I should save the token somewhere and the cookie, secure one, should be the option. There should also be the possibility to save it on a JavaScript variable, but this means I'll only use AJAX style web page definition (no reloads). If possible, I would love to have some clarifications on the the user agent flow security definition. As far I've searched on the web several project do not use it because they think "its not secure", so I would love to understand more about. On Thu, Dec 2, 2010 at 8:35 AM, Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote: Draft -01 of the OAuth 2.0 Bearer Token specification is now available. This version is intended to accompany OAuth 2.0 draft -11<http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-11.txt>. This draft is based upon the September 3rd preliminary OAuth 2.0 draft by Eran Hammer-Lahav, with input from David Recordon and several others. It includes an extensive Security Considerations section, for which Hannes Tschofenig gets significant credit. The draft is available at these locations: http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.txt http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.xml http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.html http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.txt http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.xml http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion repository, with html, txt, and html versions available) If any of you believe that you should be added to the Acknowledgments in Appendix A, please drop me a note and I'll be glad to add you. -- Mike _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -- Andrea Reginato
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
