On 19/12/2014 03:43, Richard Newman wrote:
Any amendments or additions to this list?
One small one. When the user resets their password (and thus kB changes,
and thus any derived OAuth keys change), there should be a
well-documented way for applications to detect this.
The lifespan of a key should probably not be different to that of an
authenticated session; if it is, we run the risk of allowing a client to
write data with a key that no other client can read, until eventually
its session expires and it learns the new key.
Thanks, this is indeed an important point. I think we'll have a couple
of related mechanisms to help detect and prevent this:
* An account-event-notification system for reliers, so they can
directly learn about the password reset.
* Automatic invalidation of tokens key-bearing oauth scopes in the
event of a password reset
* Supporting libraries that deal with the keys and handle this for
you in a sane way.
In Sync we use
X-Client-State to avoid this.
Aye, what a barrel of laughs that has been...
Key changes shouldn't come down to an eventual HMAC error, else app
developers will screw it up.
We should still encourage (or enforce through library code) the use of
these HMAC errors as a last line of defense.
Cheers,
Ryan
_______________________________________________
Dev-fxacct mailing list
[email protected]
https://mail.mozilla.org/listinfo/dev-fxacct
