On 24.04.2012 13:46, internet-dra...@ietf.org wrote:
A New Internet-Draft is available from the on-line Internet-Drafts
directories. This draft is a work item of the Web Authorization
Protocol Working Group of the IETF.
Title : The OAuth 2.0 Authorization Protocol: Bearer
Tokens
Author(s) : Michael B. Jones
Dick Hardt
David Recordon
Filename : draft-ietf-oauth-v2-bearer-19.txt
Pages : 24
Date : 2012-04-23
This specification describes how to use bearer tokens in HTTP
requests to access OAuth 2.0 protected resources. Any party in
possession of a bearer token (a "bearer") can use it to get access
to
the associated resources (without demonstrating possession of a
cryptographic key). To prevent misuse, bearer tokens need to be
protected from disclosure in storage and in transport.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt
The section 2.3 (URL Query Parameter) text is still lacking explicit
and specific security requirements. The overarching TLS requirement is
good in general, but insufficient in the presence of HTTP intermediaries
on the TLS connection path as is becoming a common practice.
The upcoming HTTPbis specs document this issue as a requirement for new
auth schemes such as Bearer:
http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
"
Therefore, new authentication schemes which choose not to carry
credentials in the Authorization header (e.g., using a newly
defined header) will need to explicitly disallow caching, by
mandating the use of either Cache-Control request directives
(e.g., "no-store") or response directives (e.g., "private").
"
AYJ
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
