Section 3.2.1 talks about the need for and benefits of confidential
clients. For Auth Code Grants, can't public clients be as safe as
confidential clients if:
* HTTPS is being used for all communication
* Valid redirect_uri patterns are registered at the Auth Server for the
public clients
* Auth server validates the client's redirect_uri when processing a
Authorization Request. The browser would ensure you are redirecting to
a valid domain.
* "state" parameter is validated by the client from the Authorization
Response.
* Client sends its "client_id" and "redirect_uri" when making a Access
Token Request
* Auth server revalidates "client_id", "redirect_uri" to data used to
create the Auth Code.
Nobody could fake being the public client because an auth code could
only be sent to the registered redirect URLs of the public client.
As for the statement that it might be easier to change client
credentials than to revoke refresh tokens, couldn't his also be
mitigated if the Auth Server supported setting a revocation policy for
the client?
Thanks in advance.
Bill
p.s. FYI, maybe I did something wrong, but I couldn't seem to get
anything posted on the Google Group for OAuth. Hope its ok to post
these kinds of questions here.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth