[OAUTH-WG] OAuth2 security considerations for client_id

Karim <medkarim.esskalli@gmail.com> Fri, 06 January 2012 11:06 UTC

Return-Path: <medkarim.esskalli@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AB5B521F8919 for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 03:06:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VrapQLMeLGBS for <oauth@ietfa.amsl.com>; Fri, 6 Jan 2012 03:06:07 -0800 (PST)
Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id DB20721F8911 for <oauth@ietf.org>; Fri, 6 Jan 2012 03:06:06 -0800 (PST)
Received: by laah2 with SMTP id h2so529576laa.31 for <oauth@ietf.org>; Fri, 06 Jan 2012 03:06:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=W02A4fKL6X3yCQgYb6mADkadOgk6Ccbkenragq6lE6Y=; b=k55GgC7MQp+DG4nGZXGpJMERVoylIG4/Rupe1MAhDORpVSpRdQIt0mHjzmaBRZtDOH PZB0tO0GixdJzStMZXl5itI12vNYam3D7PbZF6wEFwDxA3Rah8YnRDP/SI+8WyonLRO+ 3LH7/FY7WF73sLypqcoaXXpFiBBH3WQfjA/4g=
MIME-Version: 1.0
Received: by with SMTP id h1mr1042245lbz.84.1325847965894; Fri, 06 Jan 2012 03:06:05 -0800 (PST)
Received: by with HTTP; Fri, 6 Jan 2012 03:06:05 -0800 (PST)
Date: Fri, 06 Jan 2012 12:06:05 +0100
Message-ID: <CACHRFsBNqUgXPxgFth-zHL=tvkVHy=OCXK2tcQ6hC273eoJ9EQ@mail.gmail.com>
From: Karim <medkarim.esskalli@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="f46d0401683908876804b5da0914"
Subject: [OAUTH-WG] OAuth2 security considerations for client_id
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2012 11:06:08 -0000


When using User-agent flow with OAuth2 for mobile platform, there is no way
for Authorization server to authenticate the client_id of the application.

So, anyone can impersonate my app by copying the client_id (and so get all
access tokens on my behalf), and this is applicable to Facebook,

This is not managed by OAuth2 ? Or I missed something ?

For Web applications (Web server flow), access token is stored on the
server side, and the client is authenticated using secret key.

Karim <medkarim.esskalli@it-sudparis.eu>