google oauth2 - Should I send the Secret with the Refresh Token in OAuth 2.0 -


i'm working implement oauth 2.0 server, , while reading rfc6749 specification realized section 6 on page 47 regarding "refreshing access token". explains need use refresh token have new token.

but example, in addition refresh token, google require user id , secret so.

this confuses me, because on 1 hand have google processing high volume of requests every day, , have specification written smaller scope in mind.

is send secret every hour refresh token?

personally believe no: because user id , secret should used go on whole oauth 2.0 process.

basically

  1. you use token on each request prove are.
  2. refresh token used once hour (and potentially changed @ each refresh)
  3. secret , user id go internet possible. when option 1 , 2 compromised.

i believe sending secret refresh token less secure. maybe i'm missing something.

if have point of view, please share :)

i might missing something, what google requires , what's specified oauth2 when refreshing token confidential client application client must authenticate itself.

the common type of credentials being used confidential clients client identifier alongside client secret. information issued client application , unrelated end-user.

by requiring client authentication authorization server can sure request comes specific client , adjust response accordingly. example, authorization server can decide permissions - scopes - can requested confidential clients.

the argument around reducing number of times client secret needs sent on wire non-issue. oauth2 mandates communication happens on tls , if have issues sending secret have issues sending bearer access tokens.

in conclusion, although doing things according spec without questioning overall context might lead vulnerabilities:

... libraries treated tokens signed none algorithm valid token verified signature. result? can create own "signed" tokens whatever payload want, allowing arbitrary account access on systems.

(source: critical vulnerabilities in json web token libraries)

some libraries treated none algorithm according spec, ignored usage context; if developer passed key verify signature did not want treat unsigned tokens valid.

however, passing secret on refresh token request not 1 of these situations don't worry it.


Comments

Post a Comment

Popular posts from this blog

php - How to add and update images or image url in Volusion using Volusion API -

actually have store importing products store product data insert , update image or image url not insert , update. this xml code name datapro.txt. <products_joined> <productcode>3710_012t</productcode> <vendor_partno>eah5450silent/di/1gd3(lp)</vendor_partno> <productname>test product ta</productname> <hideproduct>n</hideproduct> <stockstatus>20</stockstatus> <lastmodified>1/5/2016 10:25:00 am</lastmodified> <lastmodby>2</lastmodby> <productweight>0.9</productweight> <productprice>100</productprice> <productmanufacturer>asus tek</productmanufacturer> <vendor_price>32.69</vendor_price> <numproductssharingstock>0</numproductssharingstock> <categoryids>107</categoryids> <producturl>http://tebkq.mvlce.servertrust.com/productdetails.asp?productcode=3710_012t</producturl...
Read more

Laravel mail error `Swift_TransportException in StreamBuffer.php line 269: Connection could not be established with host smtp.gmail.com [ #0]` -

i developing website contact-us page guest users can send me email using gmail . anytime try send mail using contact-us form, error swift_transportexception in streambuffer.php line 269: connection not established host smtp.gmail.com [ #0] this mail.php return [ 'driver' => env('mail_driver', 'smtp'), 'host' => env('mail_host', 'smtp.gmail.com'), 'port' => 587, 'from' => ['address' => '', 'name' => ''], 'encryption' => env('mail_encryption', 'tls'), 'username' => env('mail_username'), 'password' => env(mail_password), 'sendmail' => '/usr/sbin/sendmail -bs', 'pretend' => env('mail_pretend', false), ]; this .env mail_driver=smtp mail_host=smtp.gmail.com mail_port=587 mail_username=afecjaped@gmail.com mail_password=********...
Read more

c# SetCompatibleTextRenderingDefault must be called before the first -

i tried search exception couldn't find solution on case i'am using code below invoke .net application : assembly assem = assembly.load(data); methodinfo method = assem.entrypoint; var o = activator.createinstance(method.declaringtype); method.invoke(o, null); the application invoked has form , in entrypoint of application : [stathread] static void main() { application.enablevisualstyles(); application.setcompatibletextrenderingdefault(false); //exception application.run(new form1()); } setcompatibletextrenderingdefault must called before first iwin32window object created in application. edit : assembly = assembly.load(data); methodinfo method = a.gettype().getmethod("start"); var o = activator.createinstance(method.declaringtype); method.invoke(o, null); you should create new method skips initialization...
Read more