To be consistent, section 10.3 should probably specify that the requirement of confidentiality in transit applies specifically to BEARER tokens.
I would like to see this relaxed further though, as I argued last week, to accommodate situations where a token is scoped to a limited set of data that isn't particularly sensitive. My example was image search. It seems too restrictive to require TLS for an operation that does nothing more than what anyone could do by pointing a browser at our web site. Http cookies can be specified as either requiring or not requiring secure transport; it seems reasonable to allow the same option for bearer tokens, which fulfill an analogous role. Dan From: Marco De Nadai [mailto:denad...@gmail.com] Sent: Sunday, October 30, 2011 9:44 AM To: oauth@ietf.org Subject: [OAUTH-WG] Security Considerations - Access Tokens Hi all, i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment: Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage". Is it my error? -- Marco De Nadai http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
