Phil phil.h...@oracle.com
On 2011-03-24, at 6:35 PM, Eran Hammer-Lahav wrote: > >> -----Original Message----- >> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf >> Of Chuck Mortimore >> Sent: Monday, March 14, 2011 6:10 PM > >> 1) I'd vote for dropping the following from 1.4.2. In turn I'd discuss >> some of >> the security considerations, such as difficulty of protecting a >> client_secret in >> almost all use-cases of this profile. >> >> "Implicit grants improve the responsiveness and efficiency of some >> clients (such as a client implemented as an in-browser application) >> since it reduces the number of round trips required to obtain an >> access token." > > Why drop it? What about it isn't accurate? > >> 2) Section 2.1, we should MUST TLS even for Authorization Code. > > Why? What's the attack vector? This was a big issue in the SAML Artifact profiles for which the OAuth authorization code is pretty much the same. You don't want to have the code hijacked/sniffed, etc, even if it is a one-time code or limited time code. I believe we talked about this in security considerations extensively. > >> 3) Section 4.1.3 - not clear to me why redirect_uri is REQUIRED since in >> 4.1.1 >> it's "REQUIRED unless" > > The client should always confirm where the code was sent to. It can omit the > redirection is one was provided but should tell the server where it went to. > This is more consistent on the verification side, but if the original flow > designers want to chime in (Dick, Brian, etc.?), I'm open to change this. > >> 4) Section 4.2.2 - when did we drop refresh_token? I assume this goes >> back to disagreement on how best to handle native clients. I'd prefer it to >> simply reference 5.1 and leave what is issued up to the security profile of >> the >> particular deployment as to what is issued. > > -08 June 2010. > > This has been decided for a long time. I'm not eager to change it. > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
