Hi Mike, In section 3.2 you say:
> To deal with token redirect, it is important for the > authorization server to include the identity of the intended > recipients, namely a single resource server (or a list of > resource servers). You should add that each resource server must verify that it is the intended recipient of the token. (This prevents a malicious resource server from using a token that it has legitimately received to obtain resources from a target resource server; the target resource server will foil the attack by noticing that it is not the intended recipient of the token.) Perhaps it goes without saying, but it doesn't hurt to be explicit. Francisco --- On Fri, 2/25/11, Mike Jones <[email protected]> wrote: From: Mike Jones <[email protected]> Subject: [OAUTH-WG] OAuth 2.0 Bearer Token Specification draft -03 To: "[email protected]" <[email protected]> Date: Friday, February 25, 2011, 10:17 PM I’ve published draft 03 of the OAuth Bearer Token Specification. It contains one breaking change relative to draft 02 that was voted on by the working group: changing the "OAuth2" OAuth access token type name to "Bearer". The full set of changes in this draft is: · Restored the WWW-Authenticate response header functionality deleted from the framework specification in draft 12 based upon the specification text from draft 11. · Augmented the OAuth Parameters registry by adding two additional parameter usage locations: "resource request" and "resource response". · Registered the "oauth_token" OAuth parameter with usage location "resource request". · Registered the "error" OAuth parameter. · Created the OAuth Error registry and registered errors. · Changed the "OAuth2" OAuth access token type name to "Bearer". The draft is available at these locations: · http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-03.txt · http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-03.xml · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-03.html · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-03.txt · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer-03.xml · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html (will point to new versions as they are posted) · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.txt (will point to new versions as they are posted) · http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.xml (will point to new versions as they are posted) · http://svn.openid.net/repos/specifications/oauth/2.0/ (Subversion repository, with html, txt, and html versions available) Your feedback is solicited. -- Mike -----Inline Attachment Follows----- _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
