While I agree that we should look into the auto-issuing aspects carefully, and the recent OAuth security issue is a reminder that we should all perform due security dilligence, the session fixation attack itself is impossible here because the request token step is omitted.
On Tue, May 12, 2009 at 9:48 PM, Allen Tom <a...@yahoo-inc.com> wrote: > Hi Nat, > > Here you go: > > http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html > > We might need to revise the spec to not support checkid_immediate for the > Hybrid flow, becuase auto-issuing OAuth access tokens is probably a bad > thing, in light of the recent OAuth security issue. > > Allen > > > > > > Nat Sakimura wrote: >> >> Hi. >> >> Where can I find the most current version of OpenID / OAuth hybrid spec >> draft? >> I would like to look at it to see if I can borrow as much from the >> draft for what I am thinking right now. >> >> > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7) _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs