It's a OAuth2-Bearer security consideration not OAuth generally 2011/10/31 William Mills <wmi...@yahoo-inc.com>
> Yeah, there's a punt here... I believe it's recognizing that people will > in fact use bearer tokens on a plaintext channel, the slight mitigation > being shorter lifespan of the token. > > ------------------------------ > *From:* Dan Taflin <dan.taf...@gettyimages.com> > *To:* Marco De Nadai <denad...@gmail.com>; "oauth@ietf.org" < > oauth@ietf.org> > *Sent:* Monday, October 31, 2011 8:54 AM > *Subject:* Re: [OAUTH-WG] Security Considerations - Access Tokens > > To be consistent, section 10.3 should probably specify that the > requirement of confidentiality in transit applies specifically to BEARER > tokens. > > I would like to see this relaxed further though, as I argued last week, to > accommodate situations where a token is scoped to a limited set of data > that isn’t particularly sensitive. My example was image search. It seems > too restrictive to require TLS for an operation that does nothing more than > what anyone could do by pointing a browser at our web site. Http cookies > can be specified as either requiring or not requiring secure transport; it > seems reasonable to allow the same option for bearer tokens, which fulfill > an analogous role. > > Dan > > *From:* Marco De Nadai [mailto:denad...@gmail.com] > *Sent:* Sunday, October 30, 2011 9:44 AM > *To:* oauth@ietf.org > *Subject:* [OAUTH-WG] Security Considerations - Access Tokens > > Hi all, > > i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 > there is this statment: > > Access token (as well as any access token type-specific attributes) MUST > be kept confidential in transit and storage, and only shared among the > authorization server, the resource servers the access token is valid for, > and the client to whom the access token is issued. > > BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access > Authentication, I can request a resource with Access Token sent in clear. > This invalidates the "Access token (as well as any access token > type-specific attributes) MUST be kept confidential in transit and storage". > > Is it my error? > > -- > *Marco De Nadai* > > http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -- *Marco De Nadai* http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
