Having thought about it, I'm willing to remove the text below. Are there any other sections of the bearer token security considerations that you believe belong in the framework spec rather than the bearer token spec, or that don't belong at all?
Thanks again, -- Mike From: Brian Campbell [mailto:bcampb...@pingidentity.com] Sent: Monday, January 17, 2011 6:10 AM To: Mike Jones Cc: oauth Subject: Re: [OAUTH-WG] Couple questions on draft-ietf-oauth-v2-bearer-01 security considerations That text still seems more restrictive than what is in the framework specification. And it's probably unnecessary - to the point James made previously, any mention of the AS (beyond specifying the token_type) in a "using a token" specification should probably be avoided unless there is a very specific reason for including it. In general, the AS is involved when "getting a token" and the RS is involved when "using a token." On Fri, Jan 14, 2011 at 6:40 PM, Mike Jones <michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote: Thanks for your input, Brian. I accepted these suggestions for draft -02. The referenced text now reads: Furthermore, the authorization server MUST ensure that it only hands out tokens to clients it has authenticated first and authorized. For this purpose, the client MUST be authenticated and authorized by the authorization server. The authorization server MUST also obtain the consent of the resource owner prior to providing a token to the client. I'll leave it up to Eran how much of this security considerations text to incorporate into the framework specification. -- Mike -----Original Message----- From: oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org> [mailto:oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>] On Behalf Of Brian Campbell Sent: Thursday, December 09, 2010 1:38 PM To: oauth Subject: [OAUTH-WG] Couple questions on draft-ietf-oauth-v2-bearer-01 security considerations I know draft-ietf-oauth-v2-bearer-01 has been discussed a fair bit, however, a couple things jumped out at me in areas that hadn't received much attention yet so I wanted to raise the questions on a separate thread. Near the end of section 3.2. Threat Mitigation, it says: " Furthermore, the resource server MUST ensure that it only hands out tokens to clients it has authenticated first and authorized. For this purpose, the client MUST be authenticated and authorized by the resource server. " Was the intent here to say authorization server rather than resource server? The resource server doesn't hand out tokens. Also, aren't there legitimate cases where the client isn't authenticated (anonymous or other cases where the client can't keep secrets)? Then it says: "The authorization server MUST also receive a confirmation (the consent of the resource owner) prior to providing a token to the client." Does this allow for implicit consent? On my first read of it, I interpret this as potentially being more restrictive than what is in draft-ietf-oauth-v2-11 _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth