Marius, > But then again, how does the client end up making a request to the wrong site?
The client follows a redirect or link. It doesn't know if the ultimate source of the new URI was the resource server’s internal logic, user-generated content, or a parameter in the request URI (eg an open redirector). >> If the wrong site uses HTTP then the token is also exposed on the network -- >> so it has just been broadcast in the clear if you are using public wifi. >> Again a security failure. > Sure, but the "sites" parameter does not help in these cases. "sites" does help. If its value was: "sites": ["https://api.example.com";, "https://img.example.com";] Then no HTTP URI matches so the token is never sent in the clear. -- James Manger _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
