Hmm... I feel like this has been lost in all the hubbub about callbacks. I strongly advocate saying something in the spec about making the token exchange (access token endpoint) one-time use only.
By one-time only, I mean that the first time there is an attempt to exchange a request token for an access token, if the request token has not been authorized, then that request token should be marked as invalid. This will make a session fixation attack nearly impossible without a callback. If a service provider allows multiple attempts to exchange the request token a callback is not even necessary for the attack to work! The attacker must only keep trying to exchange the token. I know it's up to the service provider to implement one-time only token exchange, but putting it in the documentation (and libraries) will make it much easier for service providers to do the right thing. Am I missing the discussion about this? Is it on the wiki and I just can't find it? Or is everyone in agreement that this should be added to the docs? Thanks, Leah --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
