Even if the auth server is using redirects for user simplicity, it can still comply with the referer-checking requirement by having the simple URL (http://google.samsung.com) pass its referer as a GET param to the actual complex URL (https://www.google.com/accounts/OAuthAuthorize?client_id=1238979). The actual server should first verify that the simple URL which redirected to id (the proxy referer) is trusted, and if so, additionally check the original referer from the GET param. Otherwise, the authorization should fail.
Should this be added to the spec, or is this just an implementation detail? -Brent On Apr 2, 2010, at 8:53 AM, Brian Eaton wrote: > On Thu, Apr 1, 2010 at 9:18 PM, Allen Tom <a...@yahoo-inc.com> wrote: >> The Auth server should also check for the presence of an HTTP Referrer. >> There should not be a referrer, since the user should not have clicked on >> anything to have landed on the screen > > I don't think this one is going to work in practice. Manufacturers > may not point users directly at the OAuth approval page. They are > going to end up pointing users to something shorter, e.g. > "http://google.samsung.com";. That web site will then redirect the > user to the right approval page. > > Otherwise we end up needing to tell users to manually type-in long, > complex urls like > https://www.google.com/accounts/OAuthAuthorize?client_id=1238979. > > Cheers, > Brian _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
