I don't know in what all ways it is not secure but what you mention is not true, useragents aren't supposed to send the fragment to the web server, so you won't see them in the access logs.
On Jul 29, 5:11 pm, Oleg <[email protected]> wrote: > I think OAuth 2.0 (http://tools.ietf.org/html/draft-ietf-oauth-v2-10) > User Agent profile is not very secure. Please let me know where/if I'm > wrong. > > Let us take a look at step C in Figure 5 : > > Redirect URI with access token in fragment. > > It's written everywhere that one should not really put secrets to a > URL. Access token and that URL are all I need to get an access to the > protected resource, right? > > Let us assume that somebody copy/pasted that URL from a web server's > access log file or from a Proxy log file and then replayed it 1000 > times. > > If an action behind the protected resource was to buy a book at > Amazon, does it mean that a victim will be charged for 1000 books? > > Also, is there any protection against CSRF in this case? > > Thanks, > Oleg. -- You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
