Re: [OAUTH-WG] Authorization code security considerations
I'm not sure normative language even fits here. We need something like "Authorization codes should be treated as sensitive and the client needs to try to make sure it doesn't leak the authorization code." But more formal and less garden pathy than I'm able to pen at the moment. -- Justin On 7/8/2011 2:39 PM, Eran Hammer-Lahav wrote: "Authorization codes MUST be kept confidential" How exactly? They are not confidential by nature, being received via redirection in the URI query. I know what this sentence is trying to accomplish but not sure how to do that with normative language. SHOULD doesn't really work here either. Suggestions? EHL ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Authorization code security considerations
Can you provide this in a form suitable for pasting into the current text? Browser same origin policy is enforced by the user-agent, and is beyond the scope of this protocol. EHL > -Original Message- > From: Brian Eaton [mailto:bea...@google.com] > Sent: Friday, July 08, 2011 11:52 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] Authorization code security considerations > > On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav > wrote: > > How exactly? They are not confidential by nature, being received via > redirection in the URI query. I know what this sentence is trying to > accomplish but not sure how to do that with normative language. SHOULD > doesn't really work here either. > > The browser same origin policy does apply to URI queries. They MUST be > kept confidential, i.e. only sent to authorized entities. That > covers: > > - the client web site > - the browser ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Authorization code security considerations
On Fri, Jul 8, 2011 at 11:39 AM, Eran Hammer-Lahav wrote: > How exactly? They are not confidential by nature, being received via > redirection in the URI query. I know what this sentence is trying to > accomplish but not sure how to do that with normative language. SHOULD > doesn't really work here either. The browser same origin policy does apply to URI queries. They MUST be kept confidential, i.e. only sent to authorized entities. That covers: - the client web site - the browser ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth