On Fri, May 8, 2009 at 3:16 PM, Darren Bounds <[email protected]> wrote: > While that's nice to have, I do not believe it's necessary to foil the > attack. Acting purely on the identity of the user completes the OAuth > dance is enough and can still be considered a secure consumer > implementation.
Not unless there is a user consent page presented before the consumer completes the linkage. You need some kind of user consent at the consumer side to verify that the user really intended to link the SP account to the consumer account. This is not totally out of the realms of normal CSRF protection, but it is a bit subtle. How about this: "CSRF attacks on OAuth callback URLs hosted by Consumers are also possible. Consumers should prevent CSRF attacks on OAuth callback URLs by verifying that the user at the consumer site intended to complete the OAuth negotiation with the service provider." User intent can be divined in one of two ways: 1) "mixed binding", where you make sure the user who started the process and the user who finished it are the same. 2) "late binding", where the consumer asks the user whether they want to link their account. There are real-world examples of late binding being very useful as a UI optimization: http://code.google.com/apis/gadgets/docs/oauth.html#skip_popup Cheers, Brian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
