There is no redirection when requesting an access token. Token requests are typically out-of-band from the user. The attack only happens during an authorization redirect flow in the browser.
Phil @independentid www.independentid.com [email protected] On 2012-11-29, at 9:53 AM, Ariel Barreiro wrote: > I am struggling a bit to understand this attack and the advice in to how to > prevent. I understand that if I, as an attacker, can change the redirection > uri when authorizing, can not it as well change the redirect uri when > requesting an access token? > > Any explanation examples on how this attack might work and how sending the > redirect_uri when requesting the access toekn prevents it are welcomed. > > Thanks, > Ariel.= > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
