It's all about how you can swipe a token and inject it into another
application. It's easier to trap and inject a token in the implicit flow
because it's exposed to the user agent and there's no client secret tied
to the token's issuance. To get the same trick to work with the code
flow on server-based confidential clients, you'd need to inject your
rogue token into the client's configuration or state. With the implicit
flow and on devices, it's a bit easier just because the parts of the
system that need access to the token are more accessible.
-- Justin
On 06/29/2012 12:53 PM, Antonio Sanso wrote:
Hi John
On Jun 29, 2012, at 1:43 AM, John Bradley wrote:
Authenticating to the client is NOT safe with all of the flows
you are perfectly right here. At the begin of this discussion and reading your blog post
I was under the impression that this "attack" was tight to the use of the
implicit grant flaw.
But this is not actually the case as I could reproduce the same scenario
against a client using the Authorization Code flaw.
Regards
Antonio
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
