[OAUTH-WG] Secure storage of access for clients of the implicit flow

Doug Tangren <d.tangren@gmail.com> Fri, 30 September 2011 18:24 UTC

Return-Path: <d.tangren@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447E821F8BE4 for <oauth@ietfa.amsl.com>; Fri, 30 Sep 2011 11:24:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TVD_PH_SUBJ_META=0]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZFq5G4Q1ypX for <oauth@ietfa.amsl.com>; Fri, 30 Sep 2011 11:24:57 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id B42E421F8B29 for <oauth@ietf.org>; Fri, 30 Sep 2011 11:24:57 -0700 (PDT)
Received: by ywa6 with SMTP id 6so2160125ywa.31 for <oauth@ietf.org>; Fri, 30 Sep 2011 11:27:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=7OILZFDUbyICWaV4vYcIymwZ5W5pOaClqqA6nSjAsb4=; b=nWFQyO8/SSPN7n1fHCYOYHpvfKnaZ5hVkeSjwhnyoviA5BM97wEHDENy73oNKmPv+e elEJHvTzlUibzcVxlHDKvU2fI9P83vyxq5LUbzHad3J8W1O/9CKdfHd8+JJiHWsQPab2 XrexZbax3IdiJnIc6/LvVdTOfHAa78rXkU/Jk=
Received: by 10.101.8.22 with SMTP id l22mr10742557ani.90.1317407272057; Fri, 30 Sep 2011 11:27:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.254.6 with HTTP; Fri, 30 Sep 2011 11:27:32 -0700 (PDT)
From: Doug Tangren <d.tangren@gmail.com>
Date: Fri, 30 Sep 2011 14:27:32 -0400
Message-ID: <CAJ2WPXj9oBM8iEevyuLM1ygpBUgznSjyh9QUKHe2nw=kTeSLsw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=001636b2b03979b9fe04ae2cc855
Subject: [OAUTH-WG] Secure storage of access for clients of the implicit flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2011 18:24:58 -0000

What is the recommended practice for storing access tokens for clients of
the implicit flow. You don't really want to store it in a cookie because it
will be send with every request to the server. There is html local storage
but I don't know how sandboxed that is from other scripts on a given page.

-Doug Tangren
http://lessis.me