While we are working on a project with OAuth2 implementation, one question arises from our engineers.
We noticed at https://tools.ietf.org/html/draft-ietf-oauth-v2-31#page-30, it is specified that (C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier. The redirection URI includes the access token in the URI fragment. For my understanding, the browser keeps the URI fragment in the history, and this introduces unexpected exposure of the access token. A user without authorization for the resource can get the access token as long as he has the access to the browser. This can happen in a shared computer in library, or for an IT staff who works on other employee’s computer. Shouldn’t it be more secure if we change to use a post method for access token, similar to the SAML does? I feel there might be something I missed here. Any advices will be appreciated.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
