I am learning more on Oauth2 concepts and is very much interested in using Spring Oauth2 module. I am a bit lost when learning about access tokens. How can we prevent the access_tokens from being compromised? I understand that the whole token exchange happens using HTTPS, however when a client can access to a resource using HTTP. Also, the access_token could be short lived, but it does have a window where it can be compromised. Is my understanding correct?
How can this be prevented? I see some mention of token_secret that could be passed along with the access_token, but I am not sure if Spring’s OAuth 2 implementation uses it.
What is the Access Token vs. Access Token Secret and Consumer Key vs. Consumer Secret
Please correct me if I am on a wrong track. Thanks.
You are right. An access token can be compromised through several threats (see RFC6819 for some threat models).
But some specifications (or ongoing specification) add ways to prevent access tokens from being compromised or to help you to limit bad effects if stolen.