[
http://jira.amdatu.org/jira/browse/AMDATUAUTH-43?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=11221#comment-11221
]
Ivo Ladage - van Doorn edited comment on AMDATUAUTH-43 at 7/6/11 5:03 PM:
--------------------------------------------------------------------------
the oauth_verifier should be added to the callback url by the provider, but
this is not enough. Also the callback URL should be set upon retrieval of the
request token. Best way to do is, is to persist the callback url in the request
token when it is stored in the token store. The authorize token servlet should
then redirect the user to the callback url associated with this request token.
Finally the request token servlet should respond with a
oauth_callback_confirmed set to true to indicate that it implements the updated
version of the spec.
was (Author: ivol):
the oauth_verifier should be added to the callback url by the provider
> Add fix for oAuth session fixation vulnerability
> ------------------------------------------------
>
> Key: AMDATUAUTH-43
> URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-43
> Project: Amdatu Auth
> Issue Type: Improvement
> Components: OAuth server
> Affects Versions: 0.1.0
> Reporter: Ivo Ladage - van Doorn
> Fix For: 0.2.0
>
>
> See
> http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
> A generated token should be added to the callback URL, that should fix this
> vulnerability
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
