Re: [OAUTH-WG] Authorization code use in draft-ietf-oauth-v2-21
Eran Hammer-Lahav <eran@hueniverse.com> Fri, 09 September 2011 23:05 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F005E11E8083 for <oauth@ietfa.amsl.com>; Fri, 9 Sep 2011 16:05:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.411
X-Spam-Level:
X-Spam-Status: No, score=-2.411 tagged_above=-999 required=5 tests=[AWL=-0.112, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CyM4knZ3dmki for <oauth@ietfa.amsl.com>; Fri, 9 Sep 2011 16:05:28 -0700 (PDT)
Received: from p3plex1out01.prod.phx3.secureserver.net (p3plex1out01.prod.phx3.secureserver.net [72.167.180.17]) by ietfa.amsl.com (Postfix) with SMTP id 784DF11E8073 for <oauth@ietf.org>; Fri, 9 Sep 2011 16:05:28 -0700 (PDT)
Received: (qmail 5481 invoked from network); 9 Sep 2011 23:07:20 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.20) by p3plex1out01.prod.phx3.secureserver.net with SMTP; 9 Sep 2011 23:07:20 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT002.EX1.SECURESERVER.NET ([72.167.180.20]) with mapi; Fri, 9 Sep 2011 16:06:33 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: André DeMarre <andredemarre@gmail.com>
Date: Fri, 09 Sep 2011 16:06:29 -0700
Thread-Topic: Authorization code use in draft-ietf-oauth-v2-21
Thread-Index: AcxvRR4XY4qdDqUCQEGA2vnS4w7g3g==
Message-ID: <8A78E766-3A1D-4534-B336-3084A182EFD0@hueniverse.com>
References: <CAEwGkqCcvBS+HvoQQGj+R0eXYUnPS8W0SqeSxTtt03rnUsywZQ@mail.gmail.com>
In-Reply-To: <CAEwGkqCcvBS+HvoQQGj+R0eXYUnPS8W0SqeSxTtt03rnUsywZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authorization code use in draft-ietf-oauth-v2-21
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2011 23:05:29 -0000
Sending to the right address. EHL On Sep 9, 2011, at 15:31, "André DeMarre" <andredemarre@gmail.com> wrote: > Greetings Everyone, > > I hope the draft isn't too far along for these comments. > (draft-ietf-oauth-v2-21) > > 1. AUTHORIZATION CODE RESTRICTIONS > > The specification (particularly Section 4.1) does not say if the > authorization server may or may not allow an authorization code to be > used more than once in exchange for an access token. (Section 4.1.3) > > With this ambiguity, some authorization server implementations might > allow authorization codes to be reused by the client (whether > intentionally or not). I don't see any benefit in allowing this and > think it should be forbidden for several reasons. > > Allowing this enables a scenario where an authorization code may be > reused when the client should use the refresh token instead. The > refresh token has more desirable security properties. > > The usefulness of authorization codes should be restricted wherever > possible because they are revealed to resource owners and can be sent > over unsecure connections when the client does not require TLS on its > redirection URI. These properties combined with the possibility that > the authorization code flow may be used by public clients might open > more severe attack vectors. > > I think it should be clearly stated that the authorization server MUST > NOT issue more than one access token per authorization code grant. An > authorization code should be discarded after its first use and new > access tokens should only be issued when exchanged for refresh tokens. > > > 2. AUTHORIZATION CODE VS. TOKEN? > > Much less important, and please forgive me if this has already been > discussed, but why isn't the authorization code called an > authorization token? It is similar to the refresh token in that it can > be presented in exchange for an access token at the token endpoint. I > see it as another type of token and wonder if the language used should > perhaps reflect that as well. > > > 3. GRAMMAR CORRECTION IN SECTION 10.12 > > In Section 10.12 paragraph three it says "(e.g. a hash of the session > cookie used to authentication the user-agent)." This should say > "authenticate" instead of "authentication". > > Regards, > Andre DeMarre
- Re: [OAUTH-WG] Authorization code use in draft-ie… Eran Hammer-Lahav
- Re: [OAUTH-WG] Authorization code use in draft-ie… André DeMarre
- Re: [OAUTH-WG] Authorization code use in draft-ie… Eran Hammer-Lahav