How does it make recovery easier? Why is revoking refresh token any harder than changing client secret?
As for the assertion grant type, where is the specified that the refresh token is bound to the private keys used to produce the assertion used to obtain the refresh token in the first place? EHL From: Brian Eaton [mailto:bea...@google.com] Sent: Wednesday, June 15, 2011 5:33 PM To: Eran Hammer-Lahav Cc: Brian Campbell; OAuth WG Subject: Re: [OAUTH-WG] Client authentication requirement On Wed, Jun 15, 2011 at 5:27 PM, Eran Hammer-Lahav <e...@hueniverse.com<mailto:e...@hueniverse.com>> wrote: So basically, it is authentication on top of bearer credentials to achieve another level of security. Are we just assuming that stealing the refresh token will be harder than stealing the client credentials? Seems a bit optimistic. Both client secret and refresh token are sent in plain text over TLS during the same client-server interaction. If there is a problem with TLS, both secrets are exposed. The client is more likely to store its client secret in source code or local storage because it rarely changes, as opposed to storing the refresh token in some other cache or database. I can't figure out which one will be harder to steal. What attack vector is requiring client authentication when using the refresh token protects against? Requiring client authentication doesn't defend against attacks directly; it makes recovery after a successful attack easier. If you use the assertion profiles for OAuth2, then it also binds the refresh token to private keys that are much easier to store securely than client secrets.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
