On Apr 23, 11:04 pm, Josh Fraser <[email protected]> wrote:
> Leah,
>
> > *
> > 2. No callback request parameter
> > *
>
> What if we make the callback optional? Consumers can either:
>
> a) leave it out altogether in which case the registered callback will
> be used, or
> b) include it, in which case it must be included in the signature
I am still not sure what role the callback is playing in this (maybe
I'm too slow). Per my understanding, even if there was no callback
from the provider to the consumer, this vector would work anyway. The
identity provider has linked the request token with an identity upon
the user's post login confirmation, and any request coming in to
exchange that request token for an access token should be honored as
long as request token does not time out. This timeout too can be at 2
levels. For instance - T1 = request token issued, T2 = request token
associated with an indentity T3 = request token used to an access
token. So the 2 timeouts can be T2-T1 and T3-T2.
Like the folks on earlier posts noted, the timeout does not fix the
issue but reduces the window of vulnerability. I am out of ideas for
now though :(
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
