> Shouldn’t it be more secure if we change to use a post method for access token, similar to the SAML does?
I say yes. But please note I'm very new at this and someone with more experience will have more to say or correct my comments. Here are a few more details to consider. 1) OAuth is a framework and not a standard, per se. Different authorization servers will have different implementations that are not necessarily compatible with other service providers. So there is no standard to break, per se. 2) Sensitive data in a URI is a bad idea. They leak all over the place even over HTTPS. Even in fragments. 3) Break the "rules" and find a way to submit sensitive data like access tokens, session information or any other (even short term) sensitive data in a secure fashion. This includes POST, JSON data payloads over PUT/PATCH and other verbs - all over well configured HTTPS. 4) If you really must submit sensitive data over GET , consider JWT/JWS/JWE (with limited scopes/lifetimes) to provide message level confidentiality and integrity. Aloha, Jim Manico Manicode Security https://www.manicode.com On 6/27/16 9:30 PM, Liyu Yi wrote: > > While we are working on a project with OAuth2 implementation, one > question arises from our engineers. > > We noticed at > https://tools.ietf.org/html/draft-ietf-oauth-v2-31#page-30, it is > specified that > > > > (C) Assuming the resource owner grants access, the authorization > > server redirects the user-agent back to the client using the > > redirection URI provided earlier. The redirection URI includes > > the access token in the URI fragment. > > > > For my understanding, the browser keeps the URI fragment in the > history, and this introduces unexpected exposure of the access token. > A user without authorization for the resource can get the access token > as long as he has the access to the browser. This can happen in a > shared computer in library, or for an IT staff who works on other > employee’s computer. > > > > Shouldn’t it be more secure if we change to use a post method for > access token, similar to the SAML does? > > I feel there might be something I missed here. Any advices will be > appreciated. > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth --
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
