Hi
On 08/12/13 10:08, Jason Wang wrote:
Hi all,
I am looking at different token types in Oauth2. I am having trouble
understanding the benefits of using MAC over the simple Bearer token.
It looks to me using MAC token can prevent replay attacks as it uses a
nonce.
The idea is also to support a holder-of-key concept.
Note CXF supports the earlier, much simpler version of the MAC spec,
authored by E. Hammer-Lahav. The current OAuth2 Mac spec is being worked
upon, I think it is much more sophisticated, linked to JWT, so haven't
tried to implement it yet. I'll have no problems supporting original
version as a custom MAC token type, OAuth2 is OK with custom types.
But if SSL is used, those attacks are no longer possible (assuming a
proper SSL implementation).
It mentions in the spec a two way TSL is recommended.
Do you refer to an actual spec text or to the text on CXF wiki ? I added
the latter, it only applies to the process of the client requesting the
MAC token, for the actual MAC key to be absolutely safely transmitted
back to the client. Of course, a one-way TLS can be secure enough too if
no hacker risks exist.
Doesn't that mean
this mac token is not ideal for mobile/native apps where its impossible to
safe guard a client certificate?
I guess you are right.
Note CXF supports
http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
but
http://tools.ietf.org/html/draft-sakimura-oauth-tcse-02
has already superseded it - I'll try to implement it for 3.0.0 m2, not
sure it will help in you scenario though
Thanks
Sergey
Many thanks?
Jason
