This is why OAuth strongly suggests that Clients pre-register a set of
valid redirect_uris, so that the URI being presented to the Auth
Endpoint MUST match one that's been registered ahead of time.
-- Justin
On 11/29/2012 01:05 PM, Ariel Barreiro wrote:
Still I can't see how to prevent the attack. I understand that there
is no redirection when requesting an access token, however, the
protocol requests the client to send the redirect_uri to the token end
point to validate it was the same used in the authorization. If the
authorization was compromised, couldn't the access token request be
forged as well?
On Thu, Nov 29, 2012 at 4:01 PM, Phil Hunt <[email protected]
<mailto:[email protected]>> wrote:
There is no redirection when requesting an access token. Token
requests are typically out-of-band from the user. The attack only
happens during an authorization redirect flow in the browser.
Phil
@independentid
www.independentid.com <http://www.independentid.com>
[email protected] <mailto:[email protected]>
On 2012-11-29, at 9:53 AM, Ariel Barreiro wrote:
> I am struggling a bit to understand this attack and the advice
in to how to prevent. I understand that if I, as an attacker, can
change the redirection uri when authorizing, can not it as well
change the redirect uri when requesting an access token?
>
> Any explanation examples on how this attack might work and how
sending the redirect_uri when requesting the access toekn prevents
it are welcomed.
>
> Thanks,
> Ariel.=
> _______________________________________________
> OAuth mailing list
> [email protected] <mailto:[email protected]>
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
