Hi Torsten,
> > The attacker will not get the access and refresh tokens
> > without the client_id, but doesn't need to.
>
> whether this is an obstacle mainly depends on whether a
> client secret is associated with this client_id.
You're right, I meant to say client_secret, not client_id.
> ...
Hi Francisco,
Am 22.02.2011 06:57, schrieb Francisco Corella:
Hi Torsten,
> 4.4.1.2. Threat: Eavesdropping authorization codes
>
> The OAuth specification does not describe any mechanism for
> protecting authorization codes from eavesdroppers when they are
> transmitted from the Service Provid
edt; OAuth WG
*Subject:* Re: [OAUTH-WG] Fwd: New Version Notification for
draft-lodderstedt-oauth-security-00
On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav
mailto:e...@hueniverse.com>> wrote:
How do you envision this being incorporated into v2? Just section
5 or the entire d
nt: Monday, February 21, 2011 9:36 PM
To: Eran Hammer-Lahav
Cc: Torsten Lodderstedt; OAuth WG
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for
draft-lodderstedt-oauth-security-00
On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav
mailto:e...@hueniverse.com>> wrote:
How do you env
Hi Torsten,
> 4.4.1.2. Threat: Eavesdropping authorization codes
>
> The OAuth specification does not describe any mechanism for
> protecting authorization codes from eavesdroppers when they are
> transmitted from the Service Provider to the Client and where the
> Service Provider Grants an Acce
On Sun, Feb 20, 2011 at 3:47 PM, Eran Hammer-Lahav wrote:
> How do you envision this being incorporated into v2? Just section 5 or the
> entire document?
>
My two cents: rather than dedicating a single section of the core doc to
security considerations, smaller sections should be added to individ
-WG] Fwd: New Version Notification for
draft-lodderstedt-oauth-security-00
Hi all,
on behalf of Mark, Phil and myself I just submitted the OAuth 2.0 security
document. This document gives security considerations based on a comprehensive
threat model for the OAuth 2.0 Protocol. It is intended for
Hi all,
on behalf of Mark, Phil and myself I just submitted the OAuth 2.0
security document. This document gives security considerations based on
a comprehensive
threat model for the OAuth 2.0 Protocol. It is intended for multiple
purposes:
1) It shall be the foundation of the core draft's s
