On Mon, Nov 24, 2008 at 11:59 AM, John Kristian <[EMAIL PROTECTED]> wrote: > It would be nice if OAuth client libraries automatically handled > redirects and signed each request.
Wearing my security hat... automatically signing redirect URLs is risky. What if the response from the service provider is compromised? If you're using plaintext signatures, you leak your secrets to wherever the attacker redirects you. If you're using HMAC or RSA, you leak signatures for whatever URL you are redirected to. The attacker can force you to make near-arbitrary signed OAuth requests. I suppose https is the obvious answer to this, since it guarantees the response from the SP really came from the SP's servers. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
