I am just guessing......expecting others answer here. On the other hand, auth code exposed to RO does not have security implication, as far as I know: 1. if auth code is transported in plaintext, it should require CLient authentication to use it. 2. if auth code do not need Client authentication , auth code could be sent in encryption
Peng Zhou <[email protected]> 写于 2013-01-09 14:42:09: > Dear SuJing: > > If it is the only reason, why we send the authorization code to the > client directly and send another notification without the > authorization code to the RO. This way can mitigate the chance that > the authorization code is exposed to the RO's user-agent, hence > protecting the authorization code from leaking to possible attackers > in a higher security levle. > > Best Regards > Brent > > 2013/1/9 <[email protected]>: > > > > Then why not let auth code be sent directly from AS to Client? > > > > Just want to inform RO that an auth code has been dilivered to Client? > > > > [email protected] 写于 2013-01-09 14:27:50: > > > >> Hi Brent, > >> > >> Few points, why this doesn't create any security implications.. > >> > >> 1. Authorization server maintains a binding to the Client, who the > >> token was issued to. To exchange this to an Access token client > >> should authenticate him self. > >> 2. Code can only be exchanged once for an acces token. > >> > >> Thanks & regards, > >> -Prabath > > > >> On Wed, Jan 9, 2013 at 6:56 AM, cspzhouroc <[email protected] > >> > wrote: > >> Dear All: > >> > >> I have a question in the section 1.3.1. Authorization Code in rfc6749 > >> The OAuth 2.0 Authorization Framework. > >> > >> It tells "which in turn directs the resource owner back to the client > >> with the authorization code." > >> > >> Who can let me know the reason why is the authorization code sent to > >> client through a redirection in resource owner's agent? Any security > >> implications? > >> > >> Is it possible to let the authorization server send the authorization > >> code to the client directly (not through resource owner's user-agent)? > >> > >> Best Regards > >> Brent > >> > >> _______________________________________________ > >> OAuth mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/oauth > > > >> > > > >> > >> -- > >> Thanks & Regards, > >> Prabath > >> > >> Mobile : +94 71 809 6732 > >> > >> http://blog.facilelogin.com > >> http://RampartFAQ.com_______________________________________________ > > > >> OAuth mailing list > >> [email protected] > >> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
