I'm getting confused. This thread is about native apps. So why discuss
security considerations for web apps here?
regards,
Torsten.
Am 01.06.2011 09:00, schrieb Brian Eaton:
On Tue, May 31, 2011 at 11:47 PM, Kris Selden<kris.sel...@gmail.com> wrote:
If a provider chooses to do that though, in the attack you described, they
could still revoke the refresh token to stop the abuse when it is discovered,
and that is still easier in my opinion than rotating a client secret but yes,
allowing that does make the client secret pointless for refreshing tokens.
The attack I am describing is against a web server, so what you are
saying is not true.
We should talk about installed apps (no real client secret)
differently than we talk about web servers. They are different
problems.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
