Eran, > The only consequence is compromising the *client* > login/authentication security. I'm not trying to play it > down, but I we need to be clear. This is not a compromise of > the protected resources or authorization server.
We are definitely talking about a compromise of the protected resources. The attacker can access the protected resources through the client. And George Fletcher described an attack variant where the attacker does that without logging in as the user. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
