Hi all, i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment:
Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage". Is it my error? -- *Marco De Nadai* http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
