Hi, I am using Apache Oltu in our project to authenticate Google, Yahoo and Microsoft users. I have a fundamental question - when a user has authenticated themselves and the authorization server redirects them back to the application using the redirect uri along with a code, from a security perspective, how can we verify that the code came from the respective service - for e.g: Google? Does the authorization server send back certificate or signatures that can be used to verify itself? If so, does Oltu take care of this or is it upto the application to do the verification? Can you provide any help as to how the application should verify the server in case Oltu doesn't do it currently?
Just fyi, in our application, we are only concerned about a successful authentication which is the first step in OAuth process. We do not access any information about the user, so we are not getting into the next steps to get access token etc. at this point. I am not sure if that is an issue. I would really appreciate your comments/replies. Thank you for your time. Thanks, Jude. Iowa Workforce Development - IT | 1000 E Grand Ave, Des Moines, IA 50319 (515) 281-3378 | ashwanth.tiburt...@iwd.iowa.gov<mailto:ashwanth.tiburt...@iwd.iowa.gov>
