Yes, a token is a less priveledged thing that uid/password. Some of the big problems are browser cache (being able to get back to a signed in state after a sign out), server side logging of credentials because they log the URL, and proxies caching credentials in URLs. POST variables are significantly better but still not great, and suffer from being cached in the browser history.
I'm not saying we should break existing implementations, but I agree we should not sanction them by putting them as part of the spec. SASL TEXT/PLAIN authentication exists, people still use it without SSL; a very bad idea, but conforms to most of the spec (PLAIN now says you must use SSL). ________________________________ From: "Richer, Justin P." <jric...@mitre.org> To: Phil Hunt <phil.h...@oracle.com> Cc: OAuth WG <oauth@ietf.org> Sent: Thursday, March 10, 2011 11:18 AM Subject: Re: [OAUTH-WG] OAuth Bearer Token draft Nobody said UID and password -- we're talking about tokens here. The cost of a leaked temporary token (even a straight bearer token) is much, much lower. -- Justin ________________________________________ From: Phil Hunt [phil.h...@oracle.com] Sent: Thursday, March 10, 2011 2:01 PM To: Richer, Justin P. Cc: Eran Hammer-Lahav; OAuth WG Subject: Re: [OAUTH-WG] OAuth Bearer Token draft Well, for one if you promote this, it becomes general technique. Now you have uid/passwords in browser history etc potentially accessible to javascript and could be leaked/hacked in any number of ways. Also, I would say that credentials are a higher risk item then say a specific API call. Why? because credentials are used universally and so the exposure is much higher. That said, it is still possible that application data can just as costly to expose. Another reason to use secure forms over URLs. Phil phil.h...@oracle.com On 2011-03-10, at 10:37 AM, Richer, Justin P. wrote: > 1) Yes. And don't discount ease-of-use for developers. If I'm already sending > my parameters over the query, this becomes another parameter and is really > easy to manage. > 2) Yes, for parallelism to #1, when using a POST. > 3) The idea of a parameter registry for this part is absurd, and the > parameter should be kept simple. I do think that it needs to be named > something other than "oauth_token". > > I'm happy with discouraging the use of 1 and 2 with discussion in the > security considerations, but I think that if we don't specify this behavior > and discuss it, then people are going to do it anyway and we run more risk of > things going wrong. Simply ignoring the issue in the spec (by remaining > silent about it) will not make it go away. > > Since all formats are optional, couldn't an AS/PR setup that wants to just > lock things down and require auth headers for their particular setup? If in > two years nobody deploys it anymore, then let's deprecate it from the spec > and never speak of this again. > > -- Justin > > ________________________________________ > From: Eran Hammer-Lahav [e...@hueniverse.com] > Sent: Thursday, March 10, 2011 1:29 PM > To: Phil Hunt; Richer, Justin P. > Cc: OAuth WG > Subject: RE: [OAUTH-WG] OAuth Bearer Token draft > > There are a few issues to consider. > > 1. Should the spec support sending bearer token in a query parameter? > > - The argument that there are many use cases for this is unproven. JSON-P is > one valid example (though JSON-P usage is in decline with new methods for > cross-domain calls), but so far the only one given. > - I think at this point we have to include this functionality and the only > potential open issue is if we want to rename it to something other than > oauth_token. > - Including this functionality doesn't mean we should encourage it, and the > way to deal with that is to mark this as 'deprecated'. > > 2. Should the spec support sending authentication parameters in the body? > > - I don't have any use cases where this is required. If the client can > perform a POST with a body, it should be able to set the header. Where is > this an issue? > > 3. Should the oauth_token parameter be defined as part of an extensible > framework for adding parameters to protected resources endpoint? > > - This was the original issue raised and so far no one has provided any use > cases for this. We just need to make sure we pick the right parameter name > for oauth_token and clearly state that it is not the right way to send > tokens. There should not be any more such parameters in the protected > resource namespace. > > EHL > > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Phil Hunt >> Sent: Thursday, March 10, 2011 10:15 AM >> To: Richer, Justin P. >> Cc: OAuth WG >> Subject: Re: [OAUTH-WG] OAuth Bearer Token draft >> >> -1. It is a BAD security practice to pass credentials in URLs. Avoid it. >> >> Phil >> phil.h...@oracle.com >> >> >> >> >> On 2011-03-10, at 10:07 AM, Richer, Justin P. wrote: >> >>> Ah, here we run into the classic argument of usability vs. security, in >>> which >> usability will win every single time in practice. If we don't define at >> least a >> reasonable way to do this within the scope of OAuth, that's not going to stop >> people from doing it. It's just going to make people do it in a million >> different >> ways, each with their own unique problems that nobody's thought of. At >> least this way, we can enable it and have a real discussion about the >> security >> considerations. There are valid and valuable places where putting credentials >> in the URL is a reasonable security tradeoff. Not everything functions over >> the public internet as well, and the security considerations are different in >> these other environments. >>> >>> In short: yes, it's necessary and good to do this. >>> >>> -- Justin >>> ________________________________________ >>> From: William J. Mills [wmi...@yahoo-inc.com] >>> Sent: Thursday, March 10, 2011 12:59 PM >>> To: Richer, Justin P.; Lukas Rosenstock >>> Cc: Brian Eaton; OAuth WG >>> Subject: Re: [OAUTH-WG] OAuth Bearer Token draft >>> >>> Yeah, but there are serious security problems with credentials in the URL, >>> is >> it really worth it in light of those problems? >>> >>> ________________________________ >>> From: "Richer, Justin P." <jric...@mitre.org> >>> To: Lukas Rosenstock <l...@lukasrosenstock.net>; William J. Mills >> <wmi...@yahoo-inc.com> >>> Cc: Brian Eaton <bea...@google.com>; OAuth WG <oauth@ietf.org> >>> Sent: Thursday, March 10, 2011 9:49 AM >>> Subject: RE: [OAUTH-WG] OAuth Bearer Token draft >>> >>> Yes, there are many development setups where all you can reasonably >> access is the URL to get. It's also much simpler to make use of the well- >> supported syntax helpers for query parameters instead of relying on new, >> custom formatting for newly-defined headers. The bearer token makes this >> simple by just having the value of the token, but other schemes have their >> own name/value pair formats and encodings that will inevitably cause >> hiccups. >>> >>> -- Justin >>> ________________________________________ >>> From: Lukas Rosenstock >> [l...@lukasrosenstock.net<mailto:l...@lukasrosenstock.net>] >>> Sent: Thursday, March 10, 2011 11:49 AM >>> To: William J. Mills >>> Cc: Brian Eaton; Richer, Justin P.; OAuth WG >>> Subject: Re: [OAUTH-WG] OAuth Bearer Token draft >>> >>> JSON-P (callback) works with <script> tags where no parameters can be >> set; this is used a lot in web applications that want to consume 3rd party >> APIs >> directly on the client side. So, yes, an alternative for the Authorization >> header is required - a.f.a.i.k this use case was one of the driving forces >> behind WRAP and bearer tokens. >>> >>> 2011/3/9 William J. Mills <wmi...@yahoo-inc.com<mailto:wmills@yahoo- >> inc.com><mailto:wmi...@yahoo-inc.com<mailto:wmi...@yahoo-inc.com>>> >>> Is there really a need going forward for anything beyond using the >> Authorization header? Do we have clients out there that just can't set that >> header? Putting bearer tokens in query arguments is a very bad idea for >> many reasons, and in form variables has it's own set of badness (although >> not to the same level). >>> >>> -bill >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
