> So I guess the proposal is: > > oauth_callback in 1st step: > > - Present with value - include verifier in callback and require to exchange > tokens > - Present with empty value - display verifier to user and require to > exchange tokens > - Not included in request - no verifier requirement if allowed by the > server, potential stronger warning > > oauth_callback in 2nd step: > > - Present and wasn't in 1st step - no verifier requirement if allowed by > the server, potential stronger warning (should be deprecated eventually) > - Present in both 1st and 2nd steps - error > - Not included in redirection - no verifier requirement if allowed by the > server, potential stronger warning >
We need to be careful with the "not included in request" case for Rev A. Consider: 1. Attacker opens desktop consumer, begins auth flow 2. Consumer fetches request token without specifying an oauth_callback 3. Consumer asks Attacker to visit a URL in order to verify request token 4. Attacker modifies URL, adding oauth_callback pointing to his own site 5. Attacker tricks victim into authorizing request token, is notified when authorization is completed by the victim's request of attacker's callback So there's a loophole. It can be closed in a number of ways: - Make the consumer register as a desktop app during consumer key provisioning and disallow callbacks for desktop apps. - Increment the OAuth version so the provider knows not to accept an oauth_callback during authorization. - Require a non-url or empty value for oauth_callback (but this would make it impossible to distinguish between a dekstop app that wanted the verifier step vs. one that didn't). - Require a non-url value for oauth_callback (e.g., "oob") if you want the verifier, and an empty value if you don't. Same as previous option, but allows you to turn the verifier step on/off. Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
