>> OAuth issues security tokens without indicating where they can be safely >> used. While that fatal flaw remains, it is pointless to specify the use of >> the Origin header.
> I don't think anything should be in the base as the different token profiles > can stipulate the audience. But they don't. Neither the BEARER nor MAC specs stipulate where not to send a token. Indicating where it is safe to use a security token seems to me to be a generic requirement whenever any type of token is issued. Hence, the base spec seems to be the appropriate place to specify it. [It is far less dangerous to use a MAC token (than a BEARER token) at the wrong site as the secret key will not be revealed. However, it is still a situation you want to avoid (at best the unexpected authentication will be ignored; often it will causes errors; and it leaks some privacy).] The BEARER spec [draft-ietf-oauth-v2-bearer-03] does say, in its Security Considerations [3.2], "it is important for the authorization server to include the identity of the intended recipients". However this is talking about a resource server checking that a token was meant for it. It doesn't in any way prevent a client app sending the token to the wrong site (tokens can be opaque to clients so they cannot check things inside them). -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
