On Jun 25, 5:54 am, Monis <[email protected]> wrote:
> Can anyone please respond to this?
>
> Thanks,
> Monis
>
The spec does not provide details on the registration (and it should
not). So what fields are needed by the consumer to register on an SP
are driven by the SP and not by the spec. Yes, callback URL, or
callback domain can be one of the fields but the spec cannot and
should not assume that anyway. Should you choose, you may not want to
register the URL with the consumer info, or you may store the URL and
then verify if it is the same as the one provided during
registration.
The callback does not "eliminate" the session fixation attack per se -
it does help to temper-proof the callback. In other words, a hacker
cannot change the callback and hijack the session without knowing the
signature (it is a signed request). Also, if the callback is "oob",
then the consumer needs to have the user enter a "verifier code"
manually before proceeding to request an access token. This is where
the flow changes between a real callback vs. an oob (out of band)
callback. The session fixation attack can be fixed only when the
consumer does not do early binding. You can search on this group as
there have been a lot of discussion around early vs. late binding. It
is beyond the provider's control IMO.
Hope this helps!
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
