> OAuth issues security tokens without indicating where they can be safely > used. While that fatal flaw remains, it is pointless to specify the use of > the Origin header.
I don't think anything should be in the base as the different token profiles can stipulate the audience. From: [email protected] [mailto:[email protected]] On Behalf Of Manger, James H Sent: Sunday, March 27, 2011 7:42 PM To: Eran Hammer-Lahav; OAuth Mailing List Subject: Re: [OAUTH-WG] Indicating origin of OAuth credentials to combat login CSRF >> Q. Should an OAuth client app list the authorization server in the Origin >> header of requests to resource servers? > Was there any conclusion? My conclusion is that the Origin request header is the right place to list the OAuth authorization server to combat login CSRF attacks against apps. The other conclusion was that you probably need fairly sophisticated & general (almost browser-like) apps for these attacks to work. OAuth is not friendly to such uses (client passwords; SHOULD pre-register redirect URI; no discovery...). OAuth issues security tokens without indicating where they can be safely used. While that fatal flaw remains, it is pointless to specify the use of the Origin header. The good news is that apps, services, or future specs can use the Origin header (listing the authorization server) without breaking any other parts of OAuth. -- James Manger
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
