ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard

2012-01-25 00:20:30
from [SM] [Permanent Link] 
At 07:46 23-01-2012, The IESG wrote:

The IESG has received a request from the Web Authorization Protocol WG
(oauth) to consider the following document:
- 'The OAuth 2.0 Authorization Protocol: Bearer Tokens'
  <draft-ietf-oauth-v2-bearer-15.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf(_at_)ietf(_dot_)org mailing lists by 2012-02-06. Exceptionally, comments 
may be


From Section 2.3:

  'When sending the access token in the HTTP request URI, the client
   adds the access token to the request URI query component as defined
   by Uniform Resource Identifier (URI) [RFC3986] using the
   "access_token" parameter.'
This draft standardizes the URI query parameter to be used. There isn't any mention of whether it is reserving the parameter. The draft mentions that: 

  'Because of the security weaknesses associated with the URI method
  (see Section 4), including the high likelihood that the URL
  containing the access token will be logged, it SHOULD NOT be used
  unless it is impossible to transport the access token in the
  "Authorization" request header field or the HTTP request entity-body.'
The security weakness is well-known. It might be good to label Section 2.3 as deprecated. I note that a "platform" using OAuth 2.0 does not mention the above security consideration.
As for Section 3, it seems that the text reflects a consensus decision of the working group which is at odds with a recommendation in the specifications from HTTPbis: 

  "As for your assertion that the specs are in conflict, yes, the Bearer spec
   includes a different decision than a RECOMMENDED clause in the HTTPbis spec
   (which was added after the Bearer text was already in place).  However, it
   is not violating any MUST clauses in the HTTPbis spec."
The thread of the discussion is at http://www.ietf.org/mail-archive/web/oauth/current/msg08051.html 

The informative reference for RFC 2616 can be removed.

Regards,
S. Moonesamy 
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard, SM <=
Previous by Date:  Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The, Martin Rex
Next by Date:  RE: Last Call: <draft-ietf-dnsext-xnamercode-00.txt> (xNAME RCODE and Status Bits Clarification) to Proposed Standard, Murray S. Kucherawy
Previous by Thread:  RE: [OAUTH-WG] Last Call: <draft-ietf-oauth-v2-bearer-15.txt> (The OAuth 2.0 Authorization Protocol: Bearer Tokens) to Proposed Standard, Mike Jones
Next by Thread:  T-Shirt Design Contest for IETF 83 Paris, Alexa Morris
Indexes:  [Date] [Thread] [Top] [All Lists]