I once again kick myself for not noticing the implicit flow was inserted into the spec … hopefully the warning labels keep others from supporting the implicit flow … but additional messaging about not supporting implicit flow would be useful.
I can see why Facebook wanted it for the content merging it provides, but it should likely have been a different API and authorization process. On Feb 25, 2013, at 2:58 PM, "Richer, Justin P." <[email protected]> wrote: > From my read, it's a combination of browser bugs (it only affects Chrome) and > Facebook's insistence on using the Implicit flow for everything. > > While I don't at all care for the "sky is falling" rhetoric that seems to > follow OAuth2, the author has some good suggestions for implementations: > binding redirect URIs to particular flows, preference for the code flow, not > using a default redirect_uri on a hosted domain with user-generated content. > > But all of these are implementation issues that the OAuth2 protocol can't > really address directly. > > -- Justin > > > On Feb 25, 2013, at 5:42 PM, William Mills <[email protected]> wrote: > >> >> >> DOH!!! >> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html >> >> From: Phil Hunt <[email protected]> >> To: William Mills <[email protected]> >> Sent: Monday, February 25, 2013 2:28 PM >> Subject: Re: [OAUTH-WG] OAuth2 attack surface.... >> >> Whats the link? >> >> Phil >> >> Sent from my phone. >> >> On 2013-02-25, at 14:22, William Mills <[email protected]> wrote: >> >>> I think this is worth a read, I don't have time to dive into this :( >>> _______________________________________________ >>> OAuth mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
