Reputation: 31
Why token secret is returned unecrypted in OAUTH?
My understanding of the 'key' (or 'token') in OAUTH system is like a 'username' to identify the sender which is not confidential but 'secret' is actually like a 'password'.
But reading through the OAUTH 1.0 spec on http://oauth.net/core/1.0/#signing_process, it seems to me when consumer asks service provider for a token (either request token or access token) , the token and token secret are returned in PLAIN (just base-64 encoded) text as HTTP response.
And after searching web it looks in lots of not all case, the "request token URL" is HTTP not HTTPS which means a 3rd party may intercept the token and token secret.
So am I wrong thus far? I know even a 3rd party intercepted the token secret it's still useless as any request by consumer (or any party claim as the consumer) must be signatured with consumer key (plus token secrect) which the 3rd party usually don't know, but then why we need the token secret then?
Upvotes: 2
Views: 800
Answers (1)
Reputation: 38472
Although it is permitted to use http, it is recommended (see appendix B.1) to use secure transport (https), otherwise your concerns are quite valid. I know for sure Google allows https:// on all their OAuth transactions, at least as far as getting the token and secret, and for all the API data requests that I've tried so far.
Upvotes: 1
Related Questions
- client secret in OAuth 2.0
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- Why does Authorization Request not require client secret in OAuth2 Authorization Code Grant Flow?
- OAuth2 Sending Client secret in authorization step
- How and why ot protect client secret in oauth2
- What's so secret about the OAuth secret?
- Why isn't client secret encrypted in OAuth?
- Why does OAuth provide both an access token and an access token secret? Why not just a single value?
- OAuth Spec: why do some implementations return an access_token + access_token_secret and others just an access token?
- Hiding oauth secrets