IETF Logo Mail Archive

[OAUTH-WG] Security Considerations - Access Tokens

Marco De Nadai <denadai2@gmail.com> Sun, 30 October 2011 16:44 UTC

Return-Path: <denadai2@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0615821F8508 for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2011 09:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sq4AKSTgA0gu for <oauth@ietfa.amsl.com>; Sun, 30 Oct 2011 09:44:38 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB4E21F849E for <oauth@ietf.org>; Sun, 30 Oct 2011 09:44:38 -0700 (PDT)
Received: by gyh20 with SMTP id 20so6173395gyh.31 for <oauth@ietf.org>; Sun, 30 Oct 2011 09:44:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=3gzIUeoNlXdEbf6laJSBXpbMZBC7iNannsAIH2HwpJ0=; b=vwZmLzZDq3BBXSHUIAG94bnIQheW8jiTqur0X0tkRC0LzGnejwIkX/vpvWUhi35XXO 6TGT0XZ33Cco7Td0hwS+L4Q7jpiLJz9T68zwrDwtkvrKjhpKgNf9ucnEbgJ2OAT0tlfY cUxFG44FDmRQZnuObgCPqthaUDtggwbXUUBoM=
Received: by 10.150.207.12 with SMTP id e12mr4202008ybg.68.1319993077136; Sun, 30 Oct 2011 09:44:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.38.8 with HTTP; Sun, 30 Oct 2011 09:44:06 -0700 (PDT)
From: Marco De Nadai <denadai2@gmail.com>
Date: Sun, 30 Oct 2011 17:44:06 +0100
Message-ID: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000e0cdf1c2077fc4e04b086d6c2"
Subject: [OAUTH-WG] Security Considerations - Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 16:44:39 -0000

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there
is this statment:

Access token (as well as any access token type-specific attributes) MUST be
kept confidential in transit and storage, and only shared among the
authorization server, the resource servers the access token is valid for,
and the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access
Authentication, I can request a resource with Access Token sent in clear.
This invalidates the "Access token (as well as any access token
type-specific attributes) MUST be kept confidential in transit and storage".

Is it my error?

-- 
*Marco De Nadai*
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>

v2.23.0 | Report a Bug | By Email