I am new to OAUTH and trying out understanding the spec. So as per the spec protocol flow, I understand that Client A, can get Authorization code and then Access Token for a protected resource.
Now if Access Token has been obtained, Services e.g Linked in expects the Access token to be part of URL Query, See their interface document.
So now if Client A has shared access token with Client B, or e.g anyone intercepts the request, and gets the access token, then he too can start accessing all details that Client A can access. Is this understanding correct? If yes, then how can we protect such kind of Access token sharing/misuse?
There are multiple ways to pass an access token to endpoints of protected resources. For example, as a query parameter like:
access_token={Your-Access-Token}
Another example is Bearer Token Usage (RFC 6750) in which an access token is embedded in Authorization header like:
Authorization: Bearer {Your-Access-Token}
How to pass an access token is defined by each service.
Access tokens must be kept secret. If Client B obtains an access token issued to Client A, Client B can behave as if it were Client A. Yes, there are risks of access token leakage, so access tokens have limited lifetime, and it is a reason that most services have a page to enable users to revoke access tokens.
来源:https://stackoverflow.com/questions/23798963/can-oauth2-access-token-be-shared-by-client