In our experience at Yahoo, we¹ve found that many clients don¹t have the right time. You¹d think that NTP would have solved this by now, but it hasn¹t for a surprising number of clients.
Are timestamps really necessary in Oauth 2.0? In OAuth 1.0a, timestamps are included in the signature to protect against replay attacks. This is not really necessary in Oauth 2.0 since signatures are optional when SSL is used. Allen On 3/24/10 6:26 PM, "Paul Lindner" <lind...@inuus.com> wrote: > Right now if a client with an inaccurate clock makes an OAuth call they are > rejected. OAuth Problem Reporting > <http://oauth.pbworks.com/ProblemReporting> includes a mechanism to send the > server's concept of 'now' to the client: > >> The parameter named oauth_acceptable_timestamps consists of two numbers in >> decimal notation, separated by '-' (hyphen). It's the range of timestamps >> acceptable to the sender. That is, it means the sender will currently accept >> an oauth_timestamp that's not less than the first number and not greater than >> the second number. >> >> > With that data a client can maintain a time skew value to translate localized > time to the server's (reliable) time. > > We've found that this problem is more widespread than I would have imagined. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
