--- On Tue, 1/4/11, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > the attack you described sounds very similar to session > fixation attacks. TLS (more specifically server > authentication) is one way to cope with spoofing in general > (supposed the client has a reasonably CA policy). So it > should do in this case, too.
Yes, TLS is the solution for both variants of the attack. > Validation of the redirect_uri associated with a particular > authorization code on the tokens endpoint is another way to > detect/prevent such an attack. Supposed the attacker has to > inject the tapped authorization code into the client > application during a second authorization flow. If the > client uses different redirect_uri's for every flow, the > attempt to inject the code can be detected. This I don't understand. The redirect_uri is alwasy the same... Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
