IETF Logo Mail Archive

Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework

Peng Zhou <zpbrent@gmail.com> Wed, 09 January 2013 06:42 UTC

Return-Path: <zpbrent@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75B2121F86AE; Tue, 8 Jan 2013 22:42:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.048
X-Spam-Level:
X-Spam-Status: No, score=0.048 tagged_above=-999 required=5 tests=[AWL=-3.647, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, MIME_8BIT_HEADER=0.3, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1, SARE_SUB_ENC_GB2312=1.345]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JBGm9gpoLum; Tue, 8 Jan 2013 22:42:30 -0800 (PST)
Received: from mail-qa0-f42.google.com (mail-qa0-f42.google.com [209.85.216.42]) by ietfa.amsl.com (Postfix) with ESMTP id 76D9221F86AC; Tue, 8 Jan 2013 22:42:30 -0800 (PST)
Received: by mail-qa0-f42.google.com with SMTP id hg5so419322qab.8 for <multiple recipients>; Tue, 08 Jan 2013 22:42:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=0/kdDai4zm9HlNv4Qe1E/BgirdSjvaQ3D4i9OR711/c=; b=eH4bha4DQI5w1vXq+a8Y5rtkxcphket0ga+7P7EZdpIwvRIwavY/39LY0xoEN4zkLn jeEBAEjN4SFNQ4M+YCPP5zbvDgG07rB+HVxXV4hFkqrIpo7XxfLKP1LzVtBsGowebIbm CoY72VAAOQUxcEn1q2D9eSf9v5qIHwCUIupuNbTFbiHiOV+uDSxnFxzKAVBO0cCtoWK/ MdbQu3wLZ8yjWQKTCdXkgDa2098murY5HpiHNXEvfzUgZIsKGcI1S4E+XfVIsFqmkmnv 08sXbqr/BzlaRWoThW/S90npSCEarxvJovPKRTcK3StM9ZEJLFtabTzO/4IBQeKwMsNx IPNw==
Received: by 10.49.105.100 with SMTP id gl4mr58549222qeb.23.1357713749946; Tue, 08 Jan 2013 22:42:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.49.62.34 with HTTP; Tue, 8 Jan 2013 22:42:09 -0800 (PST)
In-Reply-To: <OF09F85034.34A94363-ON48257AEE.00243414-48257AEE.002458A9@zte.com.cn>
References: <CAJV9qO80r93oOk-EjVukF0AUbc5-FWu8VhpVi+9WZBGzSjMrPA@mail.gmail.com> <OF09F85034.34A94363-ON48257AEE.00243414-48257AEE.002458A9@zte.com.cn>
From: Peng Zhou <zpbrent@gmail.com>
Date: Wed, 09 Jan 2013 14:42:09 +0800
Message-ID: <CABFKGseLf3=P79YmJmBQ_vt1xqb+v2RSMn6sc6WWPPGff43ing@mail.gmail.com>
To: zhou.sujing@zte.com.cn
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 09 Jan 2013 09:04:08 -0800
Cc: oauth-bounces@ietf.org, oauth@ietf.org
Subject: Re: [OAUTH-WG] 答复: Re: A question of 1.3.1. Authorization Code in rfc6749 The OAuth 2.0 Authorization Framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2013 06:44:18 -0000

Dear SuJing:

If it is the only reason, why we send the authorization code to the
client directly and send another notification without the
authorization code to the RO. This way can mitigate the chance that
the authorization code is exposed to the RO's user-agent, hence
protecting the authorization code from leaking to possible attackers
in a higher security levle.

Best Regards
Brent

2013/1/9  <zhou.sujing@zte.com.cn>:
>
> Then why not let auth code be sent directly from AS to Client?
>
> Just want to inform RO that an auth code has been dilivered to Client?
>
> oauth-bounces@ietf.org 写于 2013-01-09 14:27:50:
>
>> Hi Brent,
>>
>> Few points, why this doesn't create any security implications..
>>
>> 1. Authorization server maintains a binding to the Client, who the
>> token was issued to. To exchange this to an Access token client
>> should authenticate him self.
>> 2. Code can only be exchanged once for an acces token.
>>
>> Thanks & regards,
>> -Prabath
>
>> On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <cspzhouroc@comp.polyu.edu.hk
>> > wrote:
>> Dear All:
>>
>> I have a question in the section 1.3.1. Authorization Code in rfc6749
>> The OAuth 2.0 Authorization Framework.
>>
>> It tells "which in turn directs the resource owner back to the client
>> with the authorization code."
>>
>> Who can let me know the reason why is the authorization code sent to
>> client through a redirection in resource owner's agent?  Any security
>> implications?
>>
>> Is it possible to let the authorization server send the authorization
>> code to the client directly (not through resource owner's user-agent)?
>>
>> Best Regards
>> Brent
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>>
>
>>
>> --
>> Thanks & Regards,
>> Prabath
>>
>> Mobile : +94 71 809 6732
>>
>> http://blog.facilelogin.com
>> http://RampartFAQ.com_______________________________________________
>
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email