1) Out-of-band code transmission Currently Google OAuth2 implementation uses the special "urn:ietf:wg:oauth:2.0:oob" to signal the Authorization Endpoint to return an HTML page with the code, instead of a redirect. At first sight, it seems a good idea, however it isn't in the OAuth 2 RFC. a) What is the reason for the absence in the spec? b) Is there any security problem associated with this usage?
2) Alternative "redirect_uri" schemes I'm also considering the use of alternative schemes on the "redirect_uri". For instance, a client app could use the "mailto:"; scheme to instruct the Authorization Endpoint to send the code via email. I know that a naive implementation can be subject to fixation attacks, however a) Weren't these scenarios considered by the working group? b) Is there a major security flaw on this usage? Thanks Pedro
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
