Some recent posts reminded me that an OAuth consumer should carefully maintain a session with the user, to prevent an attacker from impersonating the user. You don't want the consumer to treat an attacker's browser as though it belongs to the user who authorized access. There are techniques for doing this, but they're not specified by OAuth.
Are there guidelines or advice somewhere, encouraging consumers to do the right thing? Should we publish some (more prominently than this discussion)? A consumer could easily fall into this trap if it has nothing of value to protect. It's not obvious that the consumer is also protecting the service provider. That is, an attacker can gain unauthorized access to the service provider by deceiving a consumer. A service provider might reasonably refuse requests from a careless consumer. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
