I'm sure something is missing here, so hopefully someone here can fill me up.
I am considering implementing OAuth 2.0 in the .NET 4.5 Web API (version 2, I think?), And I have implemented a very simple demo where I have a console application that invokes some basic actions. I get the token from the "/ Token" endpoint, and I pass it as a "bearer" token in the "Authorization" header. Everything works perfectly.
However, what I am missing is that it defies MITM, repetition or other attacks? If I just transfer the credentials (in the form of a token) and they are all the same credentials all the time, what protection is wrapped around this to make sure that no one just stole my token and personifies me?
Admittedly, I use SSL, but is that the only protection built around this? Maybe I should also use some kind of nons, or timestamp? If so, how to do it in the web API?
In any case, I am sure there is a very simple explanation here, so I will be grateful for the information.
Also note that I run both servers in two Visual Studio 2013 web application projects that are in different VS 2013 solutions running on different ports. I'm not sure if that matters, but I thought I mentioned it.
source share