Could we make Mishra's suggestion simpler? Example:
For public clients using implicit flows, this specification does not
provide any method for the client to determine that an access token was
issued to its current instance.
I'm not sure if it is explicit enough, neither convinced about "instance
It is true that a AS cannot tell what instance of a native client it is issuing
a token to via the redirect URI.
10.16 is only talking about an attack on the client based on a lack of audience
information.
If there is a security consideration around AS differentiating between
instances of pub
Agreed.
On Tuesday, February 4, 2014 8:17 AM, Dick Hardt wrote:
This change is appropriate and reflects the intent of the statement.
On Tue, Feb 4, 2014 at 8:13 AM, RFC Errata System
wrote:
The following errata report has been submitted for RFC6749,
>"The OAuth 2.0 Authorization Framewo
Well, the proposed correction does point to a genuine security hazard
Specifically, when client instances share the same re-direct URI,
typically mobile clients
this is independent of whether implicit or code flows are used
It is only injective clients - each of whose instances bind to unique
My bad, sorry.
On Tue, Feb 4, 2014 at 8:58 AM, Phil Hunt wrote:
> +1
>
> Phil
>
> > On Feb 4, 2014, at 8:33, John Bradley wrote:
> >
> > The text in 10.16 is correct.
> >
> > This is a security consideration that has caused serious problems for
> Facebook and other implementers.
> >
> > In the
+1
Phil
> On Feb 4, 2014, at 8:33, John Bradley wrote:
>
> The text in 10.16 is correct.
>
> This is a security consideration that has caused serious problems for
> Facebook and other implementers.
>
> In the Implicit flow there is no way for a client to know if a access token
> was issued
The text in 10.16 is correct.
This is a security consideration that has caused serious problems for Facebook
and other implementers.
In the Implicit flow there is no way for a client to know if a access token was
issued to it or another client.
The UA presenting the access token in an implicit
This change is appropriate and reflects the intent of the statement.
On Tue, Feb 4, 2014 at 8:13 AM, RFC Errata System wrote:
> The following errata report has been submitted for RFC6749,
> "The OAuth 2.0 Authorization Framework".
>
> --
> You may review the
