OAuth concentrates on securing communication between the consumer and service provider. The callback is just a timing signal, telling the consumer it can continue its interaction with the service provider. Nothing sensitive is transmitted via the callback.
In other words, attempting to transmit something sensitive via an OAuth callback is a mistake. OAuth wasn't designed for this. On Apr 17, 1:32 pm, Dossy Shiobara <[email protected]> wrote: > On 4/17/09 4:20 PM, Dirk Balfanz wrote: > > > Why? OAuth doesn't need it. It's not an authentication protocol. > > That's such a sad oversight of the initial OAuth specification. I hope > we can fix this in future versions of the spec. > > > Once you start going down this route, you'll realize that you also > > need replay-protection, etc., and before you know it you have > > re-invented OpenID. > > I thought the signing mechanism defined by OAuth 1.0 provides > replay-protection, and everything that's included in "etc." that you > hint at. > > Currently, the OAuth callback URL is susceptible to replay attack and > token shooting. Signing it would eliminate this in a very low-effort way. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
