Transient client secret extension

614 views
512 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
614
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transient client secret extension

  1. 1. Transient Client Secret Extension for OAuth 2.0 Public Clients http://tools.ietf.org/html/draft- sakimura-oauth-tcse-01 Nat Sakimura Nomura Research Institute
  2. 2. Problem Statement • App selection by custom scheme is in deterministic on iOS. • Thus, code may be intercepted by a malicious app that registered the same custom scheme as the target app. • Those apps are generally public client so does not have client secret. • As the result, the access token is obtained by the malicious app at a rather high probability. 2
  3. 3. 3 bad good browser server
  4. 4. 4 bad good browser server
  5. 5. 5 Short & Sweet The Main text is just 2 pages long
  6. 6. JSON Metadata for OAuth Responses 1.0 http://tools.ietf.org/html/draft- sakimura-oauth-meta-02 Nat Sakimura Nomura Research Institute 6
  7. 7. Introducing metadata to OAuth Responses • Especially link relationships for HATEOAS (Hypermedia as the Engine of Application State) but not limited to. • It will give a stub element to put other metadata about the response. 7 { "_links":{ "self":{"href":"https://example.com/token?code=123"}, "userinfo": { "href":"https://example.com/user/{user_id}", "Authorize":"{token_type} {access_token}" } }, "token_type":"Bearer", "access_token":"aCeSsToKen" }

×