hi On Fri, Apr 24, 2009 at 6:27 AM, Leah Culver <[email protected]> wrote: > 1. One time only token exchange ... > 2. No callback request parameter ...
these are probably the smallest changes to the spec that can give a reasonable reduction of the vulnerability window i.e. the time between the user authorizing the request token and him/her trying to exchange it for an access token. I'm not even sure that it's possible to get 'perfect' security given what the protocol is trying to achieve in a platform that's inherently stateless (at least not without a *lot* of changes) The first one may possibly cause some inconvenience to legitimate users trying to complete the flow before having authorized the token (e.g. in desktop apps), but this can be mitigated by using the right wording for the error message to be presented to the user, and it will help a lot to identify malicious behavior both on the consumer and service provider side (e.g. setting a cap on the number of repeated token exchange errors) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
