On Wed, Jun 15, 2011 at 5:27 PM, Eran Hammer-Lahav <[email protected]>wrote:
> So basically, it is authentication on top of bearer credentials to achieve > another level of security. Are we just assuming that stealing the refresh > token will be harder than stealing the client credentials? Seems a bit > optimistic. > > Both client secret and refresh token are sent in plain text over TLS during > the same client-server interaction. If there is a problem with TLS, both > secrets are exposed. The client is more likely to store its client secret in > source code or local storage because it rarely changes, as opposed to > storing the refresh token in some other cache or database. I can't figure > out which one will be harder to steal. > > What attack vector is requiring client authentication when using the > refresh token protects against? Requiring client authentication doesn't defend against attacks directly; it makes recovery after a successful attack easier. If you use the assertion profiles for OAuth2, then it also binds the refresh token to private keys that are much easier to store securely than client secrets.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
