On Apr 24, 1:04 am, Josh Fraser <[email protected]> wrote: > Manish, > > I may be leading you astray regarding the importance of the callback. > Forgive me as I struggle to wrap my head around all of this.
Who isnt struggling to wrap their heads around this..its 1:30a and I cant sleep :) > Don't requests for access tokens need to be signed with the consumer > secret? This means that an attacker needs the victim to return to the > consumer site to complete the handshake because the attacker doesn't > have the secret to make that request himself. Right? Yep - thats right. However, the elements of the signature have to be the ones that both provider and consumer are aware of (except RSA-SHA1 where the private/pub keys replace the shared secret). None of the parameters can be used to sign a request that either parties are unaware of, as the provider has to "reconstruct" the signature to verify the incoming request. The attacker will need access to the shared secret (or the private key) and token secret (if applicable) to property sign the request - none of these are sent on the wire. Does this confirm your understanding? -cheers, Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
