[
http://jira.amdatu.org/jira/browse/AMDATUAUTH-43?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=11221#comment-11221
]
Ivo Ladage - van Doorn edited comment on AMDATUAUTH-43 at 7/6/11 5:16 PM:
--------------------------------------------------------------------------
the oauth_verifier should be added to the callback url by the provider, but
this is not enough. Also the callback URL should be set upon retrieval of the
request token. Best way to do is, is to persist the callback url in the request
token when it is stored in the token store. The authorize token servlet should
then redirect the user to the callback url associated with this request token.
Finally the request token servlet should respond with a
oauth_callback_confirmed set to true to indicate that it implements the updated
version of the spec.
the OAUth server should not accept that the user sends a callback URL along
with the request. It should first peek into the request token. If a callback
URL was provided by the consumer upon retrieving the request token, that should
be used. If no callback URL is associated with the token, the OAuth server
should use the callback URL statically defined for the consumer upon
registration. If both are empty then the OAuth server should refuse to
distribute a request token, stating that it does not support the OAuth Core 1.0
December 2007 spec, only OAuth Core 1.0 Revision A Jun 2009 or The OAuth 1.0
Protocol (RFC5849) April 2010.
was (Author: ivol):
the oauth_verifier should be added to the callback url by the provider, but
this is not enough. Also the callback URL should be set upon retrieval of the
request token. Best way to do is, is to persist the callback url in the request
token when it is stored in the token store. The authorize token servlet should
then redirect the user to the callback url associated with this request token.
Finally the request token servlet should respond with a
oauth_callback_confirmed set to true to indicate that it implements the updated
version of the spec.
> Add fix for oAuth session fixation vulnerability
> ------------------------------------------------
>
> Key: AMDATUAUTH-43
> URL: http://jira.amdatu.org/jira/browse/AMDATUAUTH-43
> Project: Amdatu Auth
> Issue Type: Improvement
> Components: OAuth server
> Affects Versions: 0.1.0
> Reporter: Ivo Ladage - van Doorn
> Fix For: 0.2.0
>
>
> See
> http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
> A generated token should be added to the callback URL, that should fix this
> vulnerability
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
Amdatu-developers mailing list
[email protected]
http://lists.amdatu.org/mailman/listinfo/amdatu-developers
