> -----Original Message----- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Wednesday, June 15, 2011 1:53 PM
> > But I have no idea why we need client authentication for using a refresh > token? > > This is covered here: http://www.ietf.org/mail- > archive/web/oauth/current/msg06362.html. So basically, it is authentication on top of bearer credentials to achieve another level of security. Are we just assuming that stealing the refresh token will be harder than stealing the client credentials? Seems a bit optimistic. Both client secret and refresh token are sent in plain text over TLS during the same client-server interaction. If there is a problem with TLS, both secrets are exposed. The client is more likely to store its client secret in source code or local storage because it rarely changes, as opposed to storing the refresh token in some other cache or database. I can't figure out which one will be harder to steal. What attack vector is requiring client authentication when using the refresh token protects against? EHL _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
