On Tue, Jul 13, 2010 at 9:40 PM, William Mills <wmi...@yahoo-inc.com> wrote: > That's even worse I think, it's a harder problem.
Revoking previously issued refresh tokens is pretty easy. Revoking the corresponding access tokens is hard in general, but in some environments is feasible. > Why do we want to revoke previously issued tokens here? The threat model is an attacker who somehow grabs a verification code from a user on the fly, then races to be the first one to exchange the verification code with the authorization server. The idea is to make sure that if there is a race, the attacker always loses eventually. This is sort of a remote scenario, though. In practice if verification codes leak, we're going to have trouble keeping the protocol secure. > It closes one door but opens a DOS attack. What's the DOS attack? _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
