On 02/05/2014 21:00, Brian Warner wrote:
On 5/2/14 7:59 AM, Shane Tomlinson wrote:
Is our OAuth implementation susceptible?
Nope, as Zach/Sean/pdehann figured out on #identity, we're ok, because
our OAuth server ignores the incoming redirect_uri= queryarg completely.
The browser will always be sent back to a URI provided by the original
RP app (when they registered the app and were given their client_id and
client_secret). The only two things parsed out of the incoming request
are state= and the list of desired scopes.
Thanks for the detailed explanation Brian, I learned a lot reading this!
Shane
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
