+1 on both
Regarding clickjacking: If we don't want the flows to be inlined in an iframe,
specifying that the clients must show the server in a popup doesn't protect
against malicious clients that choose to show it in an iframe anyway. So I
think it also make sense to add to the core spec that servers should protect
against this. The JavaScript is simple enough that perhaps the spec could give
an example snippet that any OAuth server to use. E.g., if (top != self &&
!isTopWindowSafe(top)) {
showBigassTransparentDivWithHighZIndex_or_redirectToErrorPage(); }.
-Brent
On Apr 1, 2010, at 5:48 PM, Allen Tom wrote:
Websites using OpenID/OAuth/Facebook Connect/Twitter Connect often open a popup
window to the user’s Identity Provider for user to complete the AuthZ/AuthN
flow rather than taking the user away from the referring site via a full page
redirect.
In the case where a popup window is used, it’s a very good idea to require that
that the browser’s address bar is displayed, and that an independent browser
window is used, rather than an inline iframe. These requirements are needed to
help prevent the user from being phished in the case where the user has to
enter their password, and to ensure that the user’s consent was not forged via
a clickjacking attack.
I believe that the Web Server Flow and the Web Client Flow will often take
place within a popup window, so it would make sense to put into the core spec
that popups should be independent browser windows with the address bar clearly
displayed.
Another missing feature in the core spec is support for multiple languages.
Given that many Service Providers have a global userbase, client applications
will want to have a way to specify the language to be used on the auth screen.
While the User Agent’s Accept-Language: HTTP header, as well as the user’s IP
address could be used as language hints, in practice clients will want the
ability to specify the language.
Is there consensus to get Popup Window requirements and language support into
the OAuth2 core spec?
Allen
<ATT00001..txt>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
