Here is the note I sent a few weeks ago where we also noted the potential session fixation attack. However as we noted, we are still willing to start with this profile and later work on where the user has to enter a code into the device.
---------- Forwarded message ---------- From: Eric Sachs <[email protected]> Date: Wed, Mar 17, 2010 at 5:45 PM Subject: Re: [OAUTH-WG] Device Profile To: Brent Goldman <[email protected]> Cc: "OAuth WG ([email protected])" <[email protected]> Google has a similar requirement to move these types of devices to OAuth/WRAP and away from our older "ClientLogin" protocol where the user is prompted for their username/password. The proposed profile looks fine, but we are a few weeks from being able to do specific work on it, so we may have more feedback at that time. If the device can accept some user input, then there are some security advantages to requiring the user to get the code from their computer and then enter it into the device. In particular, it makes it easier to protect against a DOS attack targeted at the service-provider to request a large # of codes. That method also reduces the risk of a phishing/session-fixation type attack. However we agree that some profile is needed for devices with no user input. We also expect it will be easier to get these device vendors to use a common industry technique, so we are fine with prioritizing our support for this profile. Longer term the community could define a profile where the code is displayed on the computer. On Thu, Mar 11, 2010 at 3:27 AM, Brent Goldman <[email protected]> wrote: > Over the past couple days, Luke Shepard, David Recordon, and I have been > brainstorming an OAuth profile for standardizing the flow that devices such > as game consoles and entertainment centers use to hook up with services such > as Netflix and iTunes. The basic flow is that a device can gain > authorization by directing the user to visit a URL on their computer and to > enter a verification code copied from the device's screen. > > A draft spec is attached to this email. Any thoughts or feedback? > > Note: this is one of the many profiles going into the OAuth 2.0 draft that > David is writing (http://daveman692.livejournal.com/349384.html). > > -Brent > > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
