I'm not clear whether the MS Security Researcher hack was with the authorization code or the access token. If the latter, the client_id is out of the picture isn't it?
Phil @independentid www.independentid.com [email protected] On 2012-06-29, at 11:14 AM, Dick Hardt wrote: > > On Jun 29, 2012, at 11:06 AM, John Bradley wrote: > >> It is nice to know that I may occasionally be correct:) > > You must be delighted when it happens! ;) > >> While you may assume that it is reasonable for a client with a code to make >> a request to the token endpoint including it's client_id and the server to >> only give out the access token if the client_id in the token request matches >> the one in the original authorization request. However the spec >> specifically doesn't require that. > > I think that is an error in the spec and should be changed, or text adding > saying that the client_id SHOULD be checked. > > -- Dick > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
