Does the OpenID Hybrid Protocol need to be amended to mention that
Hybrid should not use auto-approval for OAuth tokens?
Allen
Brian Eaton wrote:
> Automatic Repeat Approvals
>
> Some service providers may wish to automatically approve OAuth access
> requests from consumers who the user has al
Done.
http://blog.oauth.net/2009/05/11/oauth-wins-award-at-european-identity-conference/
On Sun, May 10, 2009 at 10:07 PM, John Panzer wrote:
> Wow, this is great. Would be good to have some of this info linked to
> from oauth.net too :). Thanks Eve!
>
>
> Eve Maler wrote:
>
> (Sorry, been tr
Sounds fine to me.
On Mon, May 11, 2009 at 1:58 PM, Eran Hammer-Lahav wrote:
>
> Why do we need any link? Why isn't it enough to just say 'Clickjacking' and
> let people find out more info on their own.
>
> EHL
>
>> -Original Message-
>> From: oauth@googlegroups.com [mailto:oa...@google
Why do we need any link? Why isn't it enough to just say 'Clickjacking' and let
people find out more info on their own.
EHL
> -Original Message-
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Brian Eaton
> Sent: Monday, May 11, 2009 1:41 PM
> To: oauth@goo
Wikipedia is about as formal as you're going to get for the moment:
http://en.wikipedia.org/wiki/Clickjacking
On Mon, May 11, 2009 at 1:27 PM, Eran Hammer-Lahav wrote:
>
> We can't really link to a website from the spec, only to other documents. Any
> other ideas to replace your reference to [1
We can't really link to a website from the spec, only to other documents. Any
other ideas to replace your reference to [1]?
EHL
> -Original Message-
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Brian Eaton
> Sent: Monday, May 11, 2009 12:59 PM
> To: oau
Service providers should protect the approval process against
"clickjacking" (sometimes called UI redress) attacks.
As of the time of this writing, no complete defenses
against clickjacking are available. A survey of attacks and defenses
may be found at [1]. Service providers can mitigate
the ri
I'm being lazy today. Can you fish those out and reply with something I can
just cut/paste into the spec? :-)
EHL
> -Original Message-
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Brian Eaton
> Sent: Monday, May 11, 2009 11:52 AM
> To: oauth@googlegroups
The specific post you are looking for is:
http://www.hueniverse.com/hueniverse/2009/03/xrdbased-oauth-discovery-sneakpeek.html
EHL
From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf Of Chris
Messina
Sent: Monday, May 11, 2009 11:14 AM
To: oauth@googlegroups.com
Subject: [oau
There were two others in my first note on this thread, one on UI
redress, another on automated repeat approvals.
On Mon, May 11, 2009 at 11:45 AM, Eran Hammer-Lahav wrote:
>
> Cool. Are there any other new security consideration sections we need to add,
> or is this the only one?
>
> EHL
>
>> -
Cool. Are there any other new security consideration sections we need to add,
or is this the only one?
EHL
> -Original Message-
> From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf
> Of Brian Eaton
> Sent: Friday, May 08, 2009 3:39 PM
> To: oauth@googlegroups.com
> S
The work is now being done on XRD. The latest drafts are here:
http://www.hueniverse.com/hueniverse/2009/03/sunday-morning-ids.html
Chris
On Sat, May 9, 2009 at 4:56 PM, Andrew Arnott wrote:
> I see that the current http://oauth.net/discovery spec is marked as
> obsolete yet with no successor DR
12 matches
Mail list logo