On Wed, May 11, 2011 at 11:44 AM, Lodderstedt, Torsten < [email protected]> wrote:
> How shall the authorization server ensure that the calling client is a > user-agent based app (i.e. a native app could impersonate an user-agent > based app)? > > In my opinion, enforcing explicit user consent is the only way to prevent > this kind of attack. > Native apps will require access to shared OS resources to retrieve the access token if the redirect URI is a web location registered with the proper web client. If the Native app has such access, the native app can do far more interesting things to compromise the users credentials directly. No amount of protocol sophistication can address this. > > regards, > Torsten. > > > -----Ursprüngliche Nachricht----- > > Von: Marius Scurtescu [mailto:[email protected]] > > Gesendet: Mittwoch, 11. Mai 2011 20:28 > > An: Lodderstedt, Torsten > > Cc: [email protected]; Doug Tangren > > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > > > On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten > > <[email protected]> wrote: > > > Hi Marius, > > > > > > wrt "auto-approval": how is the authorization server supposed to > > validated the client's identity in a reliable way? Otherwise another > > application (using the id of the legitimate client) could abuse the > > authorization previously approved by the user as long as the session > > with the authorization server is valid. The redirect_uri won't help for > > all kinds of clients since a native app could use the correct > > redirect_uri and nevertheless get access to the token. > > > > The only validation is based on the redirect URI. Native apps should > > not use the implicit flow, and in general there is no need for > > auto-approval for them. > > > > Marius > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- Breno de Medeiros
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
