google oauth2 - Should I send the Secret with the Refresh Token in OAuth 2.0 -


i'm working implement oauth 2.0 server, , while reading rfc6749 specification realized section 6 on page 47 regarding "refreshing access token". explains need use refresh token have new token.

but example, in addition refresh token, google require user id , secret so.

this confuses me, because on 1 hand have google processing high volume of requests every day, , have specification written smaller scope in mind.

is send secret every hour refresh token?

personally believe no: because user id , secret should used go on whole oauth 2.0 process.

basically

  1. you use token on each request prove are.
  2. refresh token used once hour (and potentially changed @ each refresh)
  3. secret , user id go internet possible. when option 1 , 2 compromised.

i believe sending secret refresh token less secure. maybe i'm missing something.

if have point of view, please share :)

i might missing something, what google requires , what's specified oauth2 when refreshing token confidential client application client must authenticate itself.

the common type of credentials being used confidential clients client identifier alongside client secret. information issued client application , unrelated end-user.

by requiring client authentication authorization server can sure request comes specific client , adjust response accordingly. example, authorization server can decide permissions - scopes - can requested confidential clients.

the argument around reducing number of times client secret needs sent on wire non-issue. oauth2 mandates communication happens on tls , if have issues sending secret have issues sending bearer access tokens.

in conclusion, although doing things according spec without questioning overall context might lead vulnerabilities:

... libraries treated tokens signed none algorithm valid token verified signature. result? can create own "signed" tokens whatever payload want, allowing arbitrary account access on systems.

(source: critical vulnerabilities in json web token libraries)

some libraries treated none algorithm according spec, ignored usage context; if developer passed key verify signature did not want treat unsigned tokens valid.

however, passing secret on refresh token request not 1 of these situations don't worry it.


Comments

Post a Comment

Popular posts from this blog

php - How to add and update images or image url in Volusion using Volusion API -

actually have store importing products store product data insert , update image or image url not insert , update. this xml code name datapro.txt. <products_joined> <productcode>3710_012t</productcode> <vendor_partno>eah5450silent/di/1gd3(lp)</vendor_partno> <productname>test product ta</productname> <hideproduct>n</hideproduct> <stockstatus>20</stockstatus> <lastmodified>1/5/2016 10:25:00 am</lastmodified> <lastmodby>2</lastmodby> <productweight>0.9</productweight> <productprice>100</productprice> <productmanufacturer>asus tek</productmanufacturer> <vendor_price>32.69</vendor_price> <numproductssharingstock>0</numproductssharingstock> <categoryids>107</categoryids> <producturl>http://tebkq.mvlce.servertrust.com/productdetails.asp?productcode=3710_012t</producturl>
Read more

javascript - jQuery UI Splitter/Resizable for unlimited amount of columns -

using jqueryui splitter or resizable functions want create layout allows unlimited amount of columns added , columns need resizable. so fiddle: https://jsfiddle.net/f3glh3mw/ but in fiddle html contains out of nested sets instead of inline. limits possibilities above fiddle can have equal widths 2,4,8,16,32 etc columns. in between shows crooked can see in fiddle. when researching came on question: jquery ui , splitter if @ top answer shows structure like: <div class="wrap"> <div class="resizable resizable1"></div> <div class="resizable resizable2"></div> </div> full fiddle: http://jsfiddle.net/8qztj/86/ which structure want javascript hardcoded 2 resizable items. so here question: how modify last fiddle works amount of .resizable divs. or know of plugin can this. thanks helping! so far found plugin: http://www.bacubacu.com/colresizable/ which says , close functionality want. in
Read more

javascript - IE9 error '$'is not defined -

Image
<!--[if lte ie 9]><html class="lte9"><![endif]--><!--[if gt ie 9]><html><![endif]--> <!--[if !ie]><!--> <html> <!--<![endif]--> blah blah <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.1/jquery.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="{{ asset('js/mypage.js') }}" type="text/javascript"></script> </body> </html> when load page, ie9 brings error '$' not defined . how can solve error? +++ mypage.js $(function(){ //when load page, //ie9 tag not moving. $(window).load(function() { $('div.mask').hide(); }); // when click , willshow show. //for not ie 9 if (!$('html').hasclass('lte9')) { var = $('ul.about > li > span.activebtn');
Read more