Have not read your article yet as I am in a metro right now, so I may be off but you should not use a query parameter to pass access token. Pass it on authorize header as in RFC6750.
Access token in RFC6750 is bearer, so anyone who got it can use it. You need to use HoK if you want to restrict who can use it. It is still in a draft stage. Nat from iPhone 2015年6月10日水曜日、Callum Hopkins<[email protected]>さんは書きました: > I have my app setup as described in this > <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps> > article you shared under "Web Server Apps > <https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#web-server-apps>" > section. The problem is that any request to the API with a url like: > https://domain.com/api/1.0/getData?access_token=123456789abc > can be copied and executed on another other website and/or through > terminal. Is there anyway I can pass the access token from angular through > the http/ajax request without a users being able to copy and paste the > url/access token from their browser's inspector? > > Someone did tell me that access tokens are bound to the domain that made > the request and therefore if someone copied the url with access token and > executed it,it wouldn't work. But I can take an api GET request that has an > access token and use that GET url request in an iframe to get the same > data. Can someone shed some light on what's going on here? > > -- > You received this message because you are subscribed to the Google Groups > "OAuth" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <javascript:_e(%7B%7D,'cvml','oauth%[email protected]');>. > For more options, visit https://groups.google.com/d/optout. > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
