How bout this... Instead of the provider signing the callback URL, the consumer signs the redirect to the SP using its consumer and request tokens. This will prevent an attacker from changing the callback URL, but still allow the consumer to specify any redirect URL it wants (provided the SP accepts any callback URL).
This reduces the threat to what Eran called a "timing attack" in his blog post. There's still a possibility that the attacker could beat the victim back to the callback after the request token is authorized. To mitigate this, the provider could generate a callback nonce that must be provided during the request/access token exchange. This nonce would be appended as a querystring param to the callback URL. I think these two changes eliminate the threat with the smallest change to the spec, and without requiring either side to maintain a lot of extra state across steps. The SP needs to maintain the callback nonce, but it can be stored and expired with the request token. The drawback is that the manual auth process would require the user to enter two numbers at the consumer after authorizing a token: the request token key and the callback nonce. Mike On Thu, Apr 23, 2009 at 9:25 AM, Shan <[email protected]> wrote: > > I have a simple idea to propose not as a solution, but hopefully to > give someone an idea toward a true solution: > > What if the callback URL is signed on the provider's end using the > consumer's secret key? The drawback is it puts the burden on the > consumer to close the security hole by checking the signature, and as > such the provider has no way of knowing if an application is secure or > not. > > Shan > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
