A http redirect_uri that doesn’t address localhost is a security risk. Requiring https is a solution, but with a cost to client apps.
Using any http on the web is a security risk. Some sites use https for their login page and http for the content. That is a security risk (eg firesheep). Perhaps the question for OAuth2 is whether an http redirect_uri is like: 1. A site with http for everything (login page and session); or 2. A site with an https login page, but http for the rest of the session. OAuth definitely shouldn’t allow #1, but perhaps forbidding #2 is too harsh today (or perhaps not given firesheep). An http redirect_uri may be able to be treated like #2 as long as an attacker cannot use the access flowing from the authorization code beyond the attacker’s current session with the client app. -- James Manger From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, 30 March 2011 6:46 AM To: George Fletcher; fcore...@pomcor.com Cc: oa...@core3.amsl.com; Karen P. Lewison; WG Subject: Re: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt As a matter of practicality, requiring all clients to deploy server-side TLS is absurd. If we mandate redirections URIs to use https, we are basically making everyone ignore it. It’s like a speed limit sign of 5mph.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
