Added the word 'credentials' (e.g. "Access token credentials (as well as...") to make this clearer. IOW, when using MAC tokens, the token secret is the part that must be protected, not the token id.
EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Marco De Nadai Sent: Sunday, October 30, 2011 9:44 AM To: oauth@ietf.org Subject: [OAUTH-WG] Security Considerations - Access Tokens Hi all, i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment: Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage". Is it my error? -- Marco De Nadai http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
