Re: [OAUTH-WG] Bearer Token Last Call Comments

Mike Jones <> Wed, 19 October 2011 23:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B7DB011E80AF for <>; Wed, 19 Oct 2011 16:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.984
X-Spam-Status: No, score=-9.984 tagged_above=-999 required=5 tests=[AWL=0.614, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZCmKCxyUnsa1 for <>; Wed, 19 Oct 2011 16:57:52 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B521C11E8095 for <>; Wed, 19 Oct 2011 16:57:52 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 19 Oct 2011 16:57:52 -0700
Received: from ([]) by ([]) with mapi id 14.01.0339.002; Wed, 19 Oct 2011 16:57:51 -0700
From: Mike Jones <>
To: Justin Richer <>, "Anganes, Amanda L" <>
Thread-Topic: [OAUTH-WG] Bearer Token Last Call Comments
Thread-Index: AcyOuuIGob2s/4J+RN6XsYxNdEm67w==
Date: Wed, 19 Oct 2011 23:57:51 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739435C24B250TK5EX14MBXC283r_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [OAUTH-WG] Bearer Token Last Call Comments
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 19 Oct 2011 23:57:53 -0000

Thanks for the useful feedback, Justin and Amanda.  Actions taken in response in draft 10 are described inline.

-----Original Message-----
From:<> []<mailto:[]> On Behalf Of Justin Richer
Sent: Friday, August 12, 2011 11:32 AM
Cc: Anganes, Amanda L
Subject: [OAUTH-WG] Bearer Token Last Call Comments

1.3: This draft still uses the term "access grant" where the core now uses "authorization grant". Change all references to "authorization grant" and reference section 1.4 in core. Also, too many parenthetical statements in opening paragraph -- suggested rewrite of this bit:

               Before a client can access a protected resource, it must first

               obtain an authorization grant [[link to core S.1.4]] from the

               resource owner, and then exchange the authorization grant for

               an access token. The access token then represents the scope,

               duration, and other access attributes granted by the

               authorization grant.


2: "...SHOULD NOT be used unless no other..." is a triple negative and while technically correct it is a bit head-spinny to read. Suggested

rewrite: "Due to the Security Considerations (S.3) associated with the URI method, this method SHOULD NOT be used unless it is the only feasible method."


2.1/2.2/2.3: Introductory text is non-parallel. Suggest changing intro to 2.1 to parallel 2.2 and 2.3, with a "When including the access token in the Authorization header, the client ..." construct.


2.2: "unless the following conditions are met" is ambiguous. All conditions are met? At least one?

Now reads “unless all of the following conditions are met”.

2.3: Are there conditions for this use as well, to match 2.2?

Just the statement about “SHOULD NOT be used unless it is the only feasible method”.

2.2/2.3: Add normative language to: "The entity-body MAY include other request specific parameters. In which case..." (similar in 2.3's request



Might be useful to have the example show an additional parameter.

Not done, as the additional parameter could also confuse developers reading the specification.

2.4: Should this be a top-level section? Since it's dealing with the from-the-server bit instead of the to-the-server bit that the rest of 2.

is dealing with.


3.1: Missing word: "Token redirect:  An attacker uses the token generated for consumption by [one] resource server to obtain access to another resource server."


3: There's a mix of normative and non-normative language throughout this section, as well as a mix of imperative and descriptive language. We suggest making the whole section normative and imperative to be consistent. Particular instances:

  3.2: "the lifetime of the token MUST be limited”


  3.3: validate SSL certificate chains: "The client MUST..."


  3.3: issue short lived bearer tokens: Change to something like "Token

               servers SHOULD issue short-lived (one hour or less) bearer

               tokens, particularly when issuing tokens to clients that run

               within a web browser or other environments where information

               leakage may occur. Using short-lived bearer tokens can reduce

               the impact of one of them being leaked."


  3.3: scoped bearer tokens: "Token servers SHOULD issue bearer tokens

               that contain an audience restriction..."


  3.3: don't pass: "Bearer tokens SHOULD NOT be passed in page URLs

               (for example as query string parameters). Instead, bearer

               tokens SHOULD be passed in HTTP message headers or message

               bodies for which confidentiality measures are taken. Browsers,

               web servers, and other software may not adequately secure URLs

               in the browser history, web server logs, and other data

               structures. If bearer tokens are passed in page URLs, attackers

               might be able to steal them from the history data, logs, or

               other unsecured locations."


-- Justin Richer


OAuth mailing list<>

                                                            -- Mike