My understanding of Eran's article
(http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/)
is that Eran believes that bearer tokens are not good enough as a security
mechanism because they allow for replay attacks in discovery style scenarios.
He then, if I understood the article correctly, argues that the solution to the
replay attack is to sign OAuth 2.0 requests.
In http://www.goland.org/bearer-tokens-discovery-and-oauth-2-0/ I tried to
demonstrate that in fact one can easily prevent replay attacks in discovery
scenarios using OAuth 2.0 and bearer tokens. If the article is correct then it
is not a requirement to introduce message signing into OAuth 2.0 in order to
prevent the attacks that Eran identified.
So this leaves me wondering, what's the critical scenario that can't be met
unless we use sign OAuth 2.0 requests?
Thanks,
Yaron
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
