My first post here.... so... Hello all you oauthians! So, I'm barely getting started with OAuth and have ran into a few unknowns. After creating my server and getting OAuth fully implemented, it made me wonder the following question: What happens if a client happens to expose your user's tokens?
I looked at a few apps using OAuth2 with connect (the github database specifically). I looked at the requests being made and the authorization header matched the session cookie which was set. I was able to go to a different browser using the same token and successfully retrieved my personal data using that. Granted, they used a secured session cookie, what would happen if they set an insecure cookie, or perhaps their database got hacked? I asked on IRC and the answer I got was, "Have a really good TOS and trust your clients." But that sounds scary. So I look around and see posts about how banks should use oauth and makes me wonder how that would be a good idea? Anyway, am I completely wrong? Or if I'm on the right path, how can one alleviate these problems? (I know you can have short-lived tokens.. but is this all?) -- You received this message because you are subscribed to the Google Groups "OAuth" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
