Re: [OAUTH-WG] OAuth2 security considerations for client_id

Fri, 06 Jan 2012 10:24:34 -0800 

Yeah, I sure did.  Client ID being the moral equivalent of user agent string in 
a browser.



________________________________
 From: Paul Madsen <[email protected]>
To: William Mills <[email protected]> 
Cc: Torsten Lodderstedt <[email protected]>; Karim 
<[email protected]>; "[email protected]" <[email protected]> 
Sent: Friday, January 6, 2012 9:48 AM
Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
 

William, presumably you meant 'client_secret'?

And is it fair to say that this reflects the current reality (of app
    distribution channels & OS protections) more so than any
    inherent mobile client limitation?

paul

On 1/6/12 12:34 PM, William Mills wrote: 
Yeah, certainly for Mobile clients this is true.  There are classes of clients 
(server to server implementations notably) where clientID can be a proper 
secret and be usefule for client validation.
>
>
>
>
>________________________________
> From: Torsten Lodderstedt <[email protected]>
>To: Karim <[email protected]>; [email protected] 
>Sent: Friday, January 6, 2012 5:21 AM
>Subject: Re: [OAUTH-WG] OAuth2 security considerations for client_id
> 
>
>Hi,
>
>your observation is correct. OAuth security considerations
              recommend not to rely on secrets for authenticating mobile
              apps (aka native apps) but to manage them as so-called
              public clients. Please take a look onto section 10 of the
              core spec for further details.
>
>regards,
>Torsten.
>
>
>
>
>Karim <[email protected]> schrieb: 
>Hello,
>>
>>
>>When using User-agent flow with OAuth2 for mobile platform, there is no way 
>>for Authorization server to authenticate the client_id of the application.
>>
>>
>>So, anyone can impersonate my app by copying the client_id (and so get all 
>>access tokens on my behalf), and this is applicable to Facebook, 
>>Foursquare,...
>>
>>
>>This is not managed by OAuth2 ? Or I missed something ?
>>
>>
>>For Web applications (Web server flow), access token is stored on the server 
>>side, and the client is authenticated using secret key.
>>
>>
-- 
>>Karim
>>
>>
>_______________________________________________
>OAuth mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>_______________________________________________
OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth 
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to