Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
cspzhouroc <cspzhouroc@comp.polyu.edu.hk> Wed, 09 January 2013 07:00 UTC
Return-Path: <cspzhouroc@comp.polyu.edu.hk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF28121F87E1; Tue, 8 Jan 2013 23:00:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.806
X-Spam-Level:
X-Spam-Status: No, score=-1.806 tagged_above=-999 required=5 tests=[AWL=-0.679, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SARE_SPEC_LEO_LINE03a=0.408, SARE_SPEC_LEO_LINE03f=0.612, SARE_SUB_ENC_UTF8=0.152]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgRFFHfEpZzv; Tue, 8 Jan 2013 23:00:44 -0800 (PST)
Received: from mailhost2.comp.polyu.edu.hk (mailhost2.COMP.POLYU.EDU.HK [158.132.20.241]) by ietfa.amsl.com (Postfix) with ESMTP id 4C45721F87D9; Tue, 8 Jan 2013 23:00:44 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id 520F25039B; Wed, 9 Jan 2013 15:00:36 +0800 (HKT)
X-Virus-Scanned: amavisd-new at comp.polyu.edu.hk
Received: from mailhost2.comp.polyu.edu.hk ([127.0.0.1]) by localhost (mailhost2.comp.polyu.edu.hk [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hQifgPKrouUk; Wed, 9 Jan 2013 15:00:35 +0800 (HKT)
Received: from webmail.comp.polyu.edu.hk (vlinux01.COMP.POLYU.EDU.HK [158.132.8.197]) by mailhost2.comp.polyu.edu.hk (Postfix) with ESMTP id EAA9F5039A; Wed, 9 Jan 2013 15:00:34 +0800 (HKT)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_6e560e1d5908eee0699e774499df55d0"
Date: Wed, 09 Jan 2013 15:00:35 +0800
From: cspzhouroc <cspzhouroc@comp.polyu.edu.hk>
To: Peng Zhou <zpbrent@gmail.com>
In-Reply-To: <CABFKGseLf3=P79YmJmBQ_vt1xqb+v2RSMn6sc6WWPPGff43ing@mail.gmail.com>
References: <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com> <OF09F85034.34A94363-ON48257AEE.00243414-48257AEE.002458A9@zte.com.cn> <CABFKGseLf3=P79YmJmBQ_vt1xqb+v2RSMn6sc6WWPPGff43ing@mail.gmail.com>
Message-ID: <d391ec9d197353d0374602784e237515@comp.polyu.edu.hk>
X-Sender: cspzhouroc@comp.polyu.edu.hk
User-Agent: RoundCube Webmail/10.5
Cc: oauth-bounces@ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 07:00:45 -0000
Yes, the leaking on transmission is not a security issue. However, this code could be exposed to the resource owner or other applications with access to the resource owner's user-agent. zhou.sujing@zte.com.cn 14:51 (7 分钟前) 发送至 我, cspzhouroc, oauth, oauth-bounces, Prabath 英文 中文 翻译邮件 对英文停用 I am just guessing......expecting others answer here. On the other hand, auth code exposed to RO does not have security implication, as far as I know: 1. if auth code is transported in plaintext, it should require CLient authentication to use it. 2. if auth code do not need Client authentication , auth code could be sent in encryption Peng Zhou 写于 2013-01-09 [9] 14:42:09: On Wed, 9 Jan 2013 14:42:09 +0800, Peng Zhou wrote: > Dear SuJing: > > If it is the only reason, why we send the authorization code to the > client directly and send another notification without the > authorization code to the RO. This way can mitigate the chance that > the authorization code is exposed to the RO's user-agent, hence > protecting the authorization code from leaking to possible attackers > in a higher security levle. > > Best Regards > Brent > > 2013/1/9 : >> Then why not let auth code be sent directly from AS to Client? Just want to inform RO that an auth code has been dilivered to Client? oauth-bounces@ietf.org [4] 写于 2013-01-09 14:27:50: >> >>> Hi Brent, Few points, why this doesn't create any security implications.. 1. Authorization server maintains a binding to the Client, who the token was issued to. To exchange this to an Access token client should authenticate him self. 2. Code can only be exchanged once for an acces token. Thanks & regards, -Prabath >> >>> On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc wrote: >>> Dear All: I have a question in the section 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework. It tells "which in turn directs the resource owner back to the client with the authorization code." Who can let me know the reason why is the authorization code sent to client through a redirection in resource owner's agent? Any security implications? Is it possible to let the authorization server send the authorization code to the client directly (not through resource owner's user-agent)? Best Regards Brent _______________________________________________ OAuth mailing list OAuth@ietf.org [2] https://www.ietf.org/mailman/listinfo/oauth [3] >> 00 >> ks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com [5] http://RampartFAQ.com_______________________________________________ [6] OAuth mai >> >>> /oauth">https://www.ietf.org/mailman/listinfo/oauth >> >>> Links: ------ [1] mailto:cspzhouroc@comp.polyu.edu.hk [2] mailto:OAuth@ietf.org [3] https://www.ietf.org/mailman/listinfo/oauth [4] mailto:oauth-bounces@ietf.org [5] http://blog.facilelogin.com [6] http://RampartFAQ.com_______________________________________________ [7] mailto:zhou.sujing@zte.com.cn [8] mailto:zpbrent@gmail.com [9] http://webmail.comp.polyu.edu.hk/tel:2013-01-09
- [OAUTH-WG] A question of 1.3.1. Authorization Cod… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- [OAUTH-WG] 答复: Re: 答复: Re: A question of 1.3.1. A… zhou.sujing
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Prabath Siriwardena
- [OAUTH-WG] 答复: Re: A question of 1.3.1. Authoriza… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Prabath Siriwardena
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Phil Hunt
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… cspzhouroc
- Re: [OAUTH-WG] A question of 1.3.1. Authorization… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Peng Zhou
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Justin Richer
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… cspzhouroc
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… zhou.sujing
- Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Autho… Richer, Justin P.