I'm not sure I understand the concern with integrity of OAuth 2.0 payloads. Sending the request over HTTPS already ensures that the request is not tampered with, and also guards against replay attacks.
No it can potentially ensure integrity between the a client and the first TLS hop that’s about it.
You don’t know which client it actually came from and you can’t ensure integrity within the transaction flow of your app.
Say the request terminated at a LB proxy then passed through and API gateway into an MQ then goes through multiple servers you need some form of integrity checking for the request and OAUTH 2.0 doesn’t provide it.
Wouldn't this be a reasonable reason if you consider that they might use additional equipment to terminate HTTPS connection in an early layer of their network?
dogma1138|7 years ago
You don’t know which client it actually came from and you can’t ensure integrity within the transaction flow of your app.
Say the request terminated at a LB proxy then passed through and API gateway into an MQ then goes through multiple servers you need some form of integrity checking for the request and OAUTH 2.0 doesn’t provide it.
bootloop|7 years ago
gsich|7 years ago
geocar|7 years ago
Breaking IP might not even be necessary because programmers are dumb[2].
[1]: https://www.bleepingcomputer.com/news/security/dns-poisoning...
[2]: http://web.archive.org/web/20120317165131/http://forum.devel...