IETF Logo Mail Archive

Re: [OAUTH-WG] Security Considerations - Access Tokens

Eran Hammer <eran@hueniverse.com> Mon, 16 January 2012 19:00 UTC

Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D4AC21F869E for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 11:00:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.508
X-Spam-Level:
X-Spam-Status: No, score=-2.508 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hm1Ic-k01kJ for <oauth@ietfa.amsl.com>; Mon, 16 Jan 2012 11:00:40 -0800 (PST)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id DBE8221F869A for <oauth@ietf.org>; Mon, 16 Jan 2012 11:00:39 -0800 (PST)
Received: (qmail 27012 invoked from network); 16 Jan 2012 19:00:39 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.19) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 16 Jan 2012 19:00:39 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.20]) by P3PW5EX1HT001.EX1.SECURESERVER.NET ([72.167.180.19]) with mapi; Mon, 16 Jan 2012 12:00:38 -0700
From: Eran Hammer <eran@hueniverse.com>
To: Marco De Nadai <denadai2@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Date: Mon, 16 Jan 2012 12:00:35 -0700
Thread-Topic: [OAUTH-WG] Security Considerations - Access Tokens
Thread-Index: AcyXIzn9T8TPMBNvQXioZv8xNL7ruw9XbpGQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E723453A754C54C@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com>
In-Reply-To: <CAHWszSa89mm1GR0Wz26kFqvNQ3U7qjmXqawkkG5KXmb8stAErg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E723453A754C54CP3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Security Considerations - Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2012 19:00:41 -0000

Added the word 'credentials' (e.g. "Access token credentials (as well as...") to make this clearer. IOW, when using MAC tokens, the token secret is the part that must be protected, not the token id.

EHL

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Marco De Nadai
Sent: Sunday, October 30, 2011 9:44 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] Security Considerations - Access Tokens

Hi all,

i've recently noticed that in OAuth 2.0 draft 22, in the section 10.3 there is this statment:

Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.

BUT in OAuth 2.0 draft 22 with Authorization Code and MAC Access Authentication, I can request a resource with Access Token sent in clear. This invalidates the "Access token (as well as any access token type-specific attributes) MUST be kept confidential in transit and storage".

Is it my error?

--
Marco De Nadai
http://www.marcodena.it/<http://www.marcodena.it/?utm_source=email&utm_medium=email&utm_campaign=Email%2Bpersonali>

v2.23.0 | Report a Bug | By Email