[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#23281: 24.5; oauth2 lacks "Authorization: Bearer"
From: |
npostavs |
Subject: |
bug#23281: 24.5; oauth2 lacks "Authorization: Bearer" |
Date: |
Mon, 11 Jul 2016 20:43:08 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.93 (gnu/linux) |
tags 23281 fixed
close 23281 oauth2/0.11
quit
Jon Kåre Hellan <hellan@acm.org> writes:
> The oauth2 elpa package provides oauth2 authentication. The Oauth2
> standard works by passing around authentication tokens. The oauth2.el
> appends the token to the url as a query parameter. This works with some
> services, but the preferred way is to pass it in an
> "Authorization: Bearer" header. Quote from RFC 6570:
>
> Because of the security weaknesses associated with the URI method
> (see Section 5), including the high likelihood that the URL
> containing the access token will be logged, it SHOULD NOT be used
> unless it is impossible to transport the access token in the
> "Authorization" request header field or the HTTP request entity-body.
>
> oauth2.el should be able to use the header mechanism, either mandatory
> or as a default.
This seems to have been implemented in oauth2 version 0.11 (elpa commit
55da50d5 2016-07-09 "oauth2: send authentication token via Authorization
header").
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#23281: 24.5; oauth2 lacks "Authorization: Bearer",
npostavs <=