why isn't it possible to steal an access token?
I'm learning OAuth and I have a question in head I can't find an anwser..
I understood request token to authorize or not an application to use the API. But once the user got an access token, what happens if someone steal his access token?
Imagine that we have something like http://www.example.com/api/article/1?access_token=******access_token******
If I give this url to another user, the other would have my access and so the API isn't protected anymore?
Answer
Short answer: Yes, for OAuth2 - whoever has a valid access_token would have access to resources designated by that token. For how long depends on OAuth2 the implementation of provider.
Long answer, about both OAuth1 and 2:
When it comes to OAuth 1 an access token is not enough. You would also need the access token secret and also consumer key and secret. It is still good to keep the access tokens confidential, and to limit their scope and time of validity but you cannot use the access token without client and token secrets. OAuth 1 doesn't require that you use SSL, because cryptography is built right into the specification.
OAuth 2 is different - it is arguably more important that access tokens are kept confidential. Therefore the API provider should ensure that access tokens, which in OAuth2 are also known as Bearer tokens, are valid only for as short time as possible. These tokens work like passwords, and if intercepted can be used immediately by an attacker. Therefore the OAuth2 (with bearer token) specification requires that all communication takes place over SSL - since no cryptography is built into the specification. Typically access tokens have a short validity, which can be refreshed with a "refresh token" which has longer validity but is only transfered when the initial bearer token is received by the consumer, and when a bearer token is refreshed.