[
https://issues.apache.org/jira/browse/SLING-12543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Munteanu closed SLING-12543.
-----------------------------------
> JcrUserHomeOAuthTokenStore allows users to access their own tokens
> ------------------------------------------------------------------
>
> Key: SLING-12543
> URL: https://issues.apache.org/jira/browse/SLING-12543
> Project: Sling
> Issue Type: Bug
> Components: Authentication, Extensions
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Priority: Minor
> Fix For: OAuth Client 0.1.0
>
>
> Tokens stored by the JcrUserHomeOAuthTokenStore allow the owning user to
> access them. But the ownership of those tokens belongs to the application.
> Making them accessible to the user directly means that:
> - the user can retrieve them and perform actions that are attributed to the
> OAuth client application
> - they can be extracted by an attacker in using XSS vulnerabilities
> We should make sure these two scenarios are not possible
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
