On 4/17/09 4:20 PM, Dirk Balfanz wrote: > Why? OAuth doesn't need it. It's not an authentication protocol.
That's such a sad oversight of the initial OAuth specification. I hope we can fix this in future versions of the spec. > Once you start going down this route, you'll realize that you also > need replay-protection, etc., and before you know it you have > re-invented OpenID. I thought the signing mechanism defined by OAuth 1.0 provides replay-protection, and everything that's included in "etc." that you hint at. Currently, the OAuth callback URL is susceptible to replay attack and token shooting. Signing it would eliminate this in a very low-effort way. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
