Last modified: 2013-09-30 14:24:03 UTC
We currently don't require HTTPS for the consumer to get the authorization token. The auth token's secret is combined with the consumer's secret for an HMAC signature, so part of the signing key would be known to an attacker if they can sniff this traffic. rfc5849 - 2.3 says that: Since the request results in the transmission of plain text credentials in the HTTP response, the server MUST require the use of a transport-layer mechanism such as TLS or SSL (or a secure channel with equivalent protections). However, if the Consumer is using an RSA key, then the authorization token's secret isn't used, so the security isn't affected by not using SSL for the /token call.
(In reply to comment #0) > However, if the Consumer is using an RSA key, then the authorization token's > secret isn't used, so the security isn't affected by not using SSL for the > /token call. What about the token credentials returned in the response? Those are still plain text.
Change 85218 had a related patch set uploaded by Anomie: Use HTTPS for Special:MWOAuth/token https://gerrit.wikimedia.org/r/85218
Change 85218 merged by jenkins-bot: Use HTTPS for Special:MWOAuth/token https://gerrit.wikimedia.org/r/85218