Am 12.01.2011 01:43, schrieb Brian Eaton:
On Tue, Jan 11, 2011 at 2:44 PM, Torsten Lodderstedt
<tors...@lodderstedt.net> wrote:
Do you see any need to restrict the power of this token or is it as powerful
as the tokens obtained using the code? I'm asking because this token is sent
out without authenticating the client whereas exchange of code to tokens can
be authenticated. A malicious client app could initiate the hybrid
authorization process in a browser (embedded or external), pretend to be a
legitimate client and obtain the token from the redirect_uri after the
redirect.
This is a good point, I think there are a set of people who won't
deploy the user-agent flow because it returns a token without seeing
the client secret.
They might choose to support the user-agent flow, but return less
privileged tokens. I doubt we could standardize anything like that.
I would not want to standardize it either. My suggesstion would be to
add a respective note to the security considerations. Based on that
every deployment shall decide how to handle it.
regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
