[OAUTH-WG] Associating access_token with user-agent on client?
"Martin, Bobby" <bobbym@amazon.com> Tue, 28 February 2012 21:54 UTC
Return-Path: <bobbym@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38BF421F858A for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2012 13:54:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8W6l3uwlqH5 for <oauth@ietfa.amsl.com>; Tue, 28 Feb 2012 13:54:26 -0800 (PST)
Received: from smtp-fw-31001.amazon.com (smtp-fw-31001.amazon.com [207.171.178.25]) by ietfa.amsl.com (Postfix) with ESMTP id 5191E21F8578 for <oauth@ietf.org>; Tue, 28 Feb 2012 13:54:26 -0800 (PST)
X-IronPort-AV: E=Sophos; i="4.73,498,1325462400"; d="scan'208,217"; a="181876138"
Received: from smtp-in-9001.sea19.amazon.com ([10.186.144.32]) by smtp-border-fw-out-31001.sea31.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 28 Feb 2012 21:54:12 +0000
Received: from ex-hub-0101.ant.amazon.com (ex-hub-0101.sea3.amazon.com [172.21.19.21]) by smtp-in-9001.sea19.amazon.com (8.13.8/8.13.8) with ESMTP id q1SLs4vv008015 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=OK) for <oauth@ietf.org>; Tue, 28 Feb 2012 21:54:12 GMT
Received: from EX-SEA31-A.ant.amazon.com ([fe80::b450:6f2c:c0f9:1e85]) by ex-hub-0101.ant.amazon.com ([fe80::15a4:9d9a:bd65:89cf%14]) with mapi; Tue, 28 Feb 2012 13:54:01 -0800
From: "Martin, Bobby" <bobbym@amazon.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 28 Feb 2012 13:54:00 -0800
Thread-Topic: Associating access_token with user-agent on client?
Thread-Index: Acz2Y3p/Li3CjQWhQvm/Xc0tOGH/iw==
Message-ID: <566590632924AD48B839AF6CD200554A02B24D2EBB@EX-SEA31-A.ant.amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_566590632924AD48B839AF6CD200554A02B24D2EBBEXSEA31Aantam_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Associating access_token with user-agent on client?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2012 21:55:45 -0000
The OAuth 2.0 spec specifically says not to return the access_token to the user-agent (which I understand), but it does not indicate how to associate the access_token with a particular client session. This seems like an important omission, since any way that spoofs how the client recognizes a user-agent request as belonging to a resource owner is as good as spoofing the access_token. I searched the list archives and in general googled around, but I don't see any discussion of this. In our use case, we want to recognize the customer based on their authentication with the auth server, so ideally we do not require a login in the client's domain. Can someone point me to discussions around this? Thanks, Bobby
- [OAUTH-WG] Associating access_token with user-age… Martin, Bobby
- [OAUTH-WG] Fwd: Associating access_token with use… André DeMarre
- Re: [OAUTH-WG] Fwd: Associating access_token with… Martin, Bobby