Let me explain my qs a little bit. It's written in the very beginning of section 1.4.2: "typically implemented in a browser using a scripting language such as JavaScript".
That phrase, step C and knowledge about how browser redirects are usually implemented made me think that: 1. A server sends a redirect to a browser using something like this in response: HTTP/1.x 301 Moved Permanently Location: http://www.google.com? access_token=123 2. When the browser sees the response, it will go to the URI provided in the Location header without asking any further questions. At want point and how are you going to get rid of access token? ----- Original Message ---- From: Marius Scurtescu <mscurte...@google.com> To: Oleg Gryb <o...@gryb.info> Cc: oauth@ietf.org Sent: Sun, August 1, 2010 11:52:22 AM Subject: Re: [OAUTH-WG] Is User Agent Profile Secure in OAuth 2.0? On Sun, Aug 1, 2010 at 10:59 AM, Oleg Gryb <oleg_g...@yahoo.com> wrote: > I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) > User Agent profile is not very secure. Please let me know where/if I'm > wrong. > > Let us take a look at step C in Figure 5 : > > "Redirect URI with access token in fragment." > > It's written everywhere that one should not really put secrets to a > URL. Access token and that URL are all I need to get an access to the > protected resource, right? > > Let us assume that somebody copy/pasted that URL from a web server's > access log file or from a Proxy log file and then replayed it 1000 > times. The fragment is not sent by the browser to the server, so it cannot end up in log files. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth