Transient client secret extension
7
Transient Client Secret Extension for OAuth 2.0 Public Clients http:// tools.ietf.org/html/draft-sakim ura-oauth-tcse-01 Nat Sakimura Nomura Research Institute
-
Upload
nat-sakimura -
Category
Technology
-
view
278 -
download
0
Transcript of Transient client secret extension
Transient Client Secret Extensionfor OAuth 2.0 Public Clients
http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
Nat SakimuraNomura Research Institute
Problem Statement
• App selection by custom scheme is in deterministic on iOS.
• Thus, code may be intercepted by a malicious app that registered the same custom scheme as the target app.
• Those apps are generally public client so does not have client secret.
• As the result, the access token is obtained by the malicious app at a rather high probability.
2
3
bad good browser server
4
bad good browser server
5
Short & SweetThe Main text is just 2 pages long
JSON Metadata for OAuth Responses 1.0
http://tools.ietf.org/html/draft-sakimura-oauth-meta-02
Nat SakimuraNomura Research Institute
6
Introducing metadata to OAuth Responses
• Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to.
• It will give a stub element to put other metadata about the response.
7
{ "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }
