I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) User Agent profile is not very secure. Please let me know where/if I'm wrong.
Let us take a look at step C in Figure 5 : Redirect URI with access token in fragment. It's written everywhere that one should not really put secrets to a URL. Access token and that URL are all I need to get an access to the protected resource, right? Let us assume that somebody copy/pasted that URL from a web server's access log file or from a Proxy log file and then replayed it 1000 times. If an action behind the protected resource was to buy a book at Amazon, does it mean that a victim will be charged for 1000 books? Also, is there any protection against CSRF in this case? Thanks, Oleg. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
