Also, when a browser follows the Location header it strips the fragment from the URL. Fragments are visible to the client but not sent to the server.
On Dec 2, 2010, at 7:24 AM, Eran Hammer-Lahav <[email protected]> wrote: > Fragments are not allowed in the HTTP request URI and are not transmitted. > They are allowed in the Location header which is not an issue. > > > > EHL > > > > From: [email protected] [mailto:[email protected]] On Behalf Of > Andrea Reginato > Sent: Thursday, December 02, 2010 1:43 AM > To: Mike Jones > Cc: [email protected] > Subject: Re: [OAUTH-WG] OAuth 2.0 Bearer Token specification draft -01 > > > > I was reading the specifications, mainly the new related to the security > issues. > > > > One thing is pointed out in the security summary is related to the fact that > the > > token should not be in the URL. So, here come some of my doubts on the the > > user agent flow, where it is set on the URL fragment. Even more, if working > > only on the client side, I suppose I should save the token somewhere and the > > cookie, secure one, should be the option. There should also be the possibility > > to save it on a JavaScript variable, but this means I'll only use AJAX style > web > > page definition (no reloads). > > > > If possible, I would love to have some clarifications on the the user agent > flow > > security definition. As far I've searched on the web several project do not > use it > > because they think "its not secure", so I would love to understand more about. > > > > On Thu, Dec 2, 2010 at 8:35 AM, Mike Jones <[email protected]> > wrote: > > Draft -01 of the OAuth 2.0 Bearer Token specification is now available. This > version is intended to accompany OAuth 2.0 draft -11. This draft is based > upon the September 3rd preliminary OAuth 2.0 draft by Eran Hammer-Lahav, with > input from David Recordon and several others. It includes an extensive > Security Considerations section, for which Hannes Tschofenig gets significant > credit. > > > > The draft is available at these locations: > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.txt > > http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-01.xml > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.html > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.txt > > http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-01.xml > > http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion repository, > with html, txt, and html versions available) > > > > If any of you believe that you should be added to the Acknowledgments in > Appendix A, please drop me a note and I’ll be glad to add you. > > > > -- Mike > > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > > > > > -- > Andrea Reginato > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
