Are OAuth2 bearer tokens signed?

Question

It may be a stupid or naive question, but: Are OAuth2 bearer tokens signed?

To put it in other words: Is the consumer able to verify whether the bearer token was issued by a specific authorization server?

score 2 · Accepted Answer · edited May 23 '17 at 12:24

2

No. But there are efforts under way to fix this. HTTPS ensures the token was transmitted securely, but it doesn't tell you who issued the token.

edited May 23 '17 at 12:24

Community

answered Aug 07 '14 at 20:42

Moby Disk

score 0 · Answer 2 · answered Apr 18 '13 at 05:14

0

Actually you have to use oauth over https which is going to be responsable of signing

answered Apr 18 '13 at 05:14

Bassem Reda Zohdy

1

But how does https help here? If I transfer the token securely from the auth server to the consumer, fine. But how does this help the resource server to verify whether the token came from a specific auth server it trusts? – Golo Roden Apr 18 '13 at 06:07
1

Actully there is communcation have to be existed between resource server and auth server in my case for ex using database. And it could be any secured channel, the use of https to be sure that the server talking to you is trusted but to be trusted you have to put the token in header – Bassem Reda Zohdy Apr 20 '13 at 22:59

2 Answers2