I can't think of a way to do phishing with oauth2, doesn't mean it can't be
done somehow :)

Basically because you have to configure the redirect when you setup the
client_secret the server will only ever send the browser to that redirect,
a mismatch of requested redirect will just cause an error on Google Apps
for example.

Lets say this app has a redirect to localhost:1234/oauth set up during
credentials creation on the oauth server.
Then if you could get some malicious code to run at that host:port then you
could get the access token that the oauth server would think it is sending
to this app.

So yes letting everyone know your client_secret is dodgy, but actually
getting hacked because of it seems highly unlikely.

On Wed, Sep 23, 2015 at 4:51 PM, Nick Sabalausky via Digitalmars-d-announce
<digitalmars-d-announce@puremagic.com> wrote:

> On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:
>> Problem is right now anyone can make an app and pretend its your app, and
>> then ...
>> If the user gives your keys access to their stuff so does anyone else who
>> has your keys, if they can get the oauth2 redirect to redirect to a
>> matching url at least.
> Isn't oauth/openid just kindof a big bundle of such phishing problems
> anyway?

Reply via email to