Transient client secret extension
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Transient client secret extension

on

  • 620 views

 

Statistics

Views

Total Views
620
Views on SlideShare
620
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Transient client secret extension Presentation Transcript

  • 1. Transient Client Secret Extension for OAuth 2.0 Public Clients http://tools.ietf.org/html/draft- sakimura-oauth-tcse-01 Nat Sakimura Nomura Research Institute
  • 2. Problem Statement • App selection by custom scheme is in deterministic on iOS. • Thus, code may be intercepted by a malicious app that registered the same custom scheme as the target app. • Those apps are generally public client so does not have client secret. • As the result, the access token is obtained by the malicious app at a rather high probability. 2
  • 3. 3 bad good browser server
  • 4. 4 bad good browser server
  • 5. 5 Short & Sweet The Main text is just 2 pages long
  • 6. JSON Metadata for OAuth Responses 1.0 http://tools.ietf.org/html/draft- sakimura-oauth-meta-02 Nat Sakimura Nomura Research Institute 6
  • 7. Introducing metadata to OAuth Responses • Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to. • It will give a stub element to put other metadata about the response. 7 { "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }