On Apr 23, 11:57 pm, Eran Hammer-Lahav <[email protected]> wrote:
> Do you mean why the callback itself isn't signed? Or the parameter?
>
> EHL
I think he meant signing the request that includes callback as a
parameter for authorizing the request token (6.2.1 from the Spec).
I agree that it will handle the callback tempering by the attackers.
But wont this still leave out non-webapp consumers? But then again the
OAuth model for non-webapp consumers has bigger fish to fry with the
shared secret sitting on every device in cleartext.
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
