Hi all,
the new revision covers token substitution, which has been added to the
core spec lately. Additionally, it describes a similar attack on the
code flow, which is prevented by forcing the authorization server to
validate that an authorization code had been issued to the calling client.
We also made the references to core and bearer spec normative.
regards,
Torsten.
Am 16.08.2012 19:14, schrieb internet-dra...@ietf.org:
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol Working Group of
the IETF.
Title : OAuth 2.0 Threat Model and Security Considerations
Author(s) : Torsten Lodderstedt
Mark McGloin
Phil Hunt
Filename : draft-ietf-oauth-v2-threatmodel-07.txt
Pages : 70
Date : 2012-08-16
Abstract:
This document gives additional security considerations for OAuth,
beyond those in the OAuth specification, based on a comprehensive
threat model for the OAuth 2.0 Protocol.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-threatmodel
There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-07
A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-v2-threatmodel-07
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth