If an attacked can modify the communications over TLS between the client and the authorization server, then I think there are many other options open to the attacker.
-- Dick On Jun 29, 2012, at 11:53 AM, Phil Hunt wrote: > I'm not seeing how client id helps if a proxy server is somehow involved with > inserting the bearer token as the researchers suggested. > > Phil > > On 2012-06-29, at 11:30, John Bradley <ve7...@ve7jtb.com> wrote: > >> I think they only exploited the implicit flow. >> >> My point was that there is a way you could do the same thing with code if it >> is a public client that is not authenticating to the token endpoint. >> >> In general making identity assumptions in the client based on a code or >> access_token has risks that are out of scope for OAuth. >> >> We do however want to provide good advice about specific things that can >> leave systems insecure when using OAuth. >> >> John B. >> >> On 2012-06-29, at 2:22 PM, Phil Hunt wrote: >> >>> I'm not clear whether the MS Security Researcher hack was with the >>> authorization code or the access token. If the latter, the client_id is out >>> of the picture isn't it? >>> >>> Phil >>> >>> @independentid >>> www.independentid.com >>> phil.h...@oracle.com >>> >>> >>> >>> >>> >>> On 2012-06-29, at 11:14 AM, Dick Hardt wrote: >>> >>>> >>>> On Jun 29, 2012, at 11:06 AM, John Bradley wrote: >>>> >>>>> It is nice to know that I may occasionally be correct:) >>>> >>>> You must be delighted when it happens! ;) >>>> >>>>> While you may assume that it is reasonable for a client with a code to >>>>> make a request to the token endpoint including it's client_id and the >>>>> server to only give out the access token if the client_id in the token >>>>> request matches the one in the original authorization request. However >>>>> the spec specifically doesn't require that. >>>> >>>> I think that is an error in the spec and should be changed, or text adding >>>> saying that the client_id SHOULD be checked. >>>> >>>> -- Dick >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth