I agree with you Leah that it should be outlined in the spec that the SP should limit the number of access token requests to prevent brute force attacks. This would really make session fixation impossible w/o a callback.
On Tue, Apr 28, 2009 at 5:02 PM, Leah Culver <[email protected]> wrote: > > Hmm... I feel like this has been lost in all the hubbub about > callbacks. > > I strongly advocate saying something in the spec about making the > token exchange (access token endpoint) one-time use only. > > By one-time only, I mean that the first time there is an attempt to > exchange a request token for an access token, if the request token has > not been authorized, then that request token should be marked as > invalid. This will make a session fixation attack nearly impossible > without a callback. > > If a service provider allows multiple attempts to exchange the request > token a callback is not even necessary for the attack to work! The > attacker must only keep trying to exchange the token. > > I know it's up to the service provider to implement one-time only > token exchange, but putting it in the documentation (and libraries) > will make it much easier for service providers to do the right thing. > > Am I missing the discussion about this? Is it on the wiki and I just > can't find it? Or is everyone in agreement that this should be added > to the docs? > > Thanks, > Leah > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
