I'd say that where a verifier is required, only a small number of attempts should be allowed. We should allow for user entry error while mitigating against brute force attacks. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Sun, Jun 7, 2009 at 4:34 AM, Morten Fangel <[email protected]>wrote: > What about trying to swap a Request Token to a Access Token, but the > verifier code is wrong. > Does that invalidate the Request Token, or does it just fail and wait > for a new request with the correct verifier code? > > If it doesn't invalidate the Request Token, couldn't an attacker to try > all options for verifier codes? If the Request Token is requested with > an OOB callback, the verifier will usually be sort so people don't have > to manually enter a long string. > > Regards > Morten Fangel > > On Jun 7, 2009, at 7:17 AM, Eran Hammer-Lahav wrote: > > It means that once an Access Token was given using a Request Token, that > Request Token must not be used again – it is invalidated. > > EHL > > > On 6/6/09 9:45 PM, "Andrew Arnott" <[email protected]> wrote: > > In section 6 of the OAuth spec (either 1.0 or 1.0a versions -- they're the > same here), I see the following: > > Request Token:Used by the Consumer to ask the User to authorize access to > the Protected Resources. The User-authorized Request Token is exchanged for > an Access Token, *MUST only be used once*, and MUST NOT be used for any > other purpose. It is RECOMMENDED that Request Tokens have a limited > lifetime. > > I'm wondering what this "MUST only be used once" is intended to limit. Is > it sufficiently compliant to say that the SP will only ever give out the > Access Token for a given request token once? Or does it mean that a desktop > consumer app cannot keep polling the server with its request token until it > finally gets an access token when the user finishes authorizing the request > token? > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
