While I agree that we should look into the auto-issuing aspects
carefully, and the recent OAuth security issue is a reminder that we
should all perform due security dilligence, the session fixation
attack itself is impossible here because the request token step is
omitted.

On Tue, May 12, 2009 at 9:48 PM, Allen Tom <a...@yahoo-inc.com> wrote:
> Hi Nat,
>
> Here you go:
>
> http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
> We might need to revise the spec to not support checkid_immediate for the
> Hybrid flow, becuase auto-issuing OAuth access tokens is probably a bad
> thing, in light of the recent OAuth security issue.
>
> Allen
>
>
>
>
>
> Nat Sakimura wrote:
>>
>> Hi.
>>
>> Where can I find the most current version of OpenID / OAuth hybrid spec
>> draft?
>> I would like to look at it to see if I can borrow as much from the
>> draft for what I am thinking right now.
>>
>>
>
> _______________________________________________
> specs mailing list
> specs@openid.net
> http://openid.net/mailman/listinfo/specs
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to