Re: Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 07:46 23-01-2012, The IESG wrote:

The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'The OAuth 2.0 Authorization Protocol: Bearer Tokens'
  <draft-ietf-oauth-v2-bearer-15.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@xxxxxxxx mailing lists by 2012-02-06. Exceptionally, comments may be


From Section 2.3:

  'When sending the access token in the HTTP request URI, the client
   adds the access token to the request URI query component as defined
   by Uniform Resource Identifier (URI) [RFC3986] using the
   "access_token" parameter.'
This draft standardizes the URI query parameter to be used. There isn't any mention of whether it is reserving the parameter. The draft mentions that: 

  'Because of the security weaknesses associated with the URI method
  (see Section 4), including the high likelihood that the URL
  containing the access token will be logged, it SHOULD NOT be used
  unless it is impossible to transport the access token in the
  "Authorization" request header field or the HTTP request entity-body.'
The security weakness is well-known. It might be good to label Section 2.3 as deprecated. I note that a "platform" using OAuth 2.0 does not mention the above security consideration.
As for Section 3, it seems that the text reflects a consensus decision of the working group which is at odds with a recommendation in the specifications from HTTPbis: 

  "As for your assertion that the specs are in conflict, yes, the Bearer spec
   includes a different decision than a RECOMMENDED clause in the HTTPbis spec
   (which was added after the Bearer text was already in place).  However, it
   is not violating any MUST clauses in the HTTPbis spec."
The thread of the discussion is at http://www.ietf.org/mail-archive/web/oauth/current/msg08051.html 

The informative reference for RFC 2616 can be removed.

Regards,
S. Moonesamy 
_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]