I've got a potential simple solution.
1. User goes to photoeditor.com.
1a. The user creates an account
or
1b. The user is prompted to enter a word/phrase familiar to them, if
the consumer is not a user account-based site.
2. When the token is requested, this username or phrase is included in
the request.
3. When the user is directed to authenticate at the provider (without
this phrase), the user sees:
3a. Their username or phrase entered at the consumer site, as defined
in the token request
or
3b. A prompt to enter that username or phrase that was part of the
token request.
Other ideas:
- The callback could have the auth token encrypted using this username/
phrase as the key, thus forcing the consumer to also check to make
sure the requests match up.
I'm looking forward to everyone picking this idea apart.
Shan
On Apr 24, 1:42 pm, pkeane <[email protected]> wrote:
> On Apr 24, 1:29 pm, Dossy Shiobara <[email protected]> wrote:
>
>
>
>
>
> > On 4/24/09 1:18 PM, Zachary Voase wrote:
>
> > > The point I'm trying to make is that this is an intractable problem; I
> > > don't know how to explain it in clearer terms than this: the issue is
> > > one of being able to read the user's mind and find out if they are who
> > > they say they are. The two-point solution I'm trying to push ensures
> > > that requests are as authentic as possible.*Any* solution will be
> > > heuristic because of the architecture on which OAuth works (a
> > > combination of HTTP, TCP/IP, and Homo Sapiens).
>
> > It's not an intractable problem. There's no mind-reading required, just
> > a design that isn't flawed by design.
>
> > I have yet to see anyone explain why my proposal of authenticating with
> > the SP _first_ before starting the authorization flow with OAuth does
> > NOT eliminate this risk _completely_. Someone please shoot a hole in
> > the idea if it's at all possible.
>
> I'm pretty sure it does. Let me see if I can sketch out the scenario:
>
> 1. user goes to photoeditor.com to edit some photos. photoeditor.com
> gives me a menu of "partners" that I can use photos from: Flickr,
> Picasa, etc.
> 2. I select Flickr and I am immediately sent to to sign into my
> account (using my Flick user/pass).
> 3. Now instead of sending me back to photoeditor.com, I am forwarded
> to the Flickr OAuth page where it asks "do you want to continue on to
> photoeditor.com"?
> 4. I click "yes," and I am forwarded back to photoeditor.com fully
> able to edit my Flickr photos.
>
> Is that possible? I'm not sure it matters what order things are done
> on at the SP -- the basic idea is that the A & B steps are collapsed
> down into *one* step, all of which happens on the SP.
>
> Apologizes if it is an obviously flawed idea -- just trying to get my
> head around it.
>
> --peter
>
>
>
>
>
> > --
> > Dossy Shiobara | [email protected] |http://dossy.org/
> > Panoptic Computer Network |http://panoptic.com/
> > "He realized the fastest way to change is to laugh at your own
> > folly -- then you can let go and quickly move on." (p. 70)
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
