Actually, I think it's a pretty small change to the spec. In section 6.3.2 Service Provider Grants an Access Token ( http://oauth.net/core/1.0/#auth_step3), it says:
The Service Provider MUST ensure that: - The request signature has been successfully verified. - The Request Token has never been exchanged for an Access Token. - The Request Token matches the Consumer Key. ... If the request fails verification or is rejected for other reasons, the Service Provider SHOULD respond with the appropriate response code as defined in HTTP Response Codes (HTTP Response Codes)<http://oauth.net/core/1.0/#http_codes> . Perhaps an updated version could say something like (changes in red): The Service Provider MUST ensure that: - The request signature has been successfully verified. - The Request Token has never been exchanged for an Access Token. - There have been no prior attempts to exchange this Request Token for an Access Token. - The Request Token matches the Consumer Key. ... If the request fails verification or is rejected for other reasons, the Service Provider SHOULD invalidate or delete the request token and respond with the appropriate response code as defined in HTTP Response Codes (HTTP Response Codes) <http://oauth.net/core/1.0/#http_codes>. On Tue, Apr 28, 2009 at 3:02 PM, Leah Culver <[email protected]> wrote: > > Hmm... I feel like this has been lost in all the hubbub about > callbacks. > > I strongly advocate saying something in the spec about making the > token exchange (access token endpoint) one-time use only. > > By one-time only, I mean that the first time there is an attempt to > exchange a request token for an access token, if the request token has > not been authorized, then that request token should be marked as > invalid. This will make a session fixation attack nearly impossible > without a callback. > > If a service provider allows multiple attempts to exchange the request > token a callback is not even necessary for the attack to work! The > attacker must only keep trying to exchange the token. > > I know it's up to the service provider to implement one-time only > token exchange, but putting it in the documentation (and libraries) > will make it much easier for service providers to do the right thing. > > Am I missing the discussion about this? Is it on the wiki and I just > can't find it? Or is everyone in agreement that this should be added > to the docs? > > Thanks, > Leah > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
