On Fri, Mar 19, 2010 at 2:16 PM, Ethan Jewett <esjew...@gmail.com> wrote: > On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton <bea...@google.com> wrote: >> Plaintext doesn't work in this context, because it sends long-lived >> secrets in clear-text to servers that are under the control of the >> application author, or, in the case of gadgets, everyone viewing the >> gadget. > > That's not what I read. In the OpenSocial case the gadget does not > hold the secret as that would be insecure in the manner you describe. > The container holds the secret. The gadget only tells the container > what signing method to use, not what secret to use. How the container > manages to get the secret or keep track of which secret works with > which provider is a mystery to me. > > There is not need to send the secret in the clear. OAuth 1.0a says > that the PLAINTEXT method should be used only over a secure channel.
The gadget tells the container *where* to send the request. So if OpenSocial gadgets supported PLAINTEXT, a malicious gadget author, or a malicious user of a gadget (they are pure javascript) could tell the container "please send a request to https://www.example.com/log_my_secret". And the container would then leak the secret to www.example.com. Note that the encrypted channel doesn't help with this. =) Also note that the OAuth signing is intended to authenticate the opensocial_* and oauth_* parameters as having originated with the container, not the gadget. If you allow PLAINTEXT, that doesn't work any longer either. Cheers, Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth