makes sense.
regards,
Torsten.
Am 16.01.2012 20:00, schrieb Eran Hammer:
Added the word 'credentials' (e.g. "Access token credentials (as well
as...") to make this clearer. IOW, when using MAC tokens, the token
secret is the part that must be protected, not the token id.
EHL
*From:*oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] *On
Behalf Of *Marco De Nadai
*Sent:* Sunday, October 30, 2011 9:44 AM
*To:* oauth@ietf.org
*Subject:* [OAUTH-WG] Security Considerations - Access Tokens
Hi all,
i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3
there is this statment:
Access token (as well as any access token type-specific
attributes) MUST be kept confidential in transit and storage, and only
shared among the authorization server, the resource servers the access
token is valid for, and the client to whom the access token is issued.
BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access
Authentication, I can request a resource with Access Token sent in
clear. This invalidates the "Access token (as well as any access token
type-specific attributes) MUST be kept confidential in transit and
storage".
Is it my error?
--
*Marco De Nadai*
http://www.marcodena.it/
<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
