Hi Pedro,
Am 10.10.2012 16:25, schrieb Pedro Felix:
1) Out-of-band code transmission
Currently Google OAuth2 implementation uses the special
"urn:ietf:wg:oauth:2.0:oob" to signal the Authorization Endpoint to
return an HTML page with the code, instead of a redirect. At first
sight, it seems a good idea, however it isn't in the OAuth 2 RFC.
a) What is the reason for the absence in the spec?
b) Is there any security problem associated with this usage?
2) Alternative "redirect_uri" schemes
I'm also considering the use of alternative schemes on the
"redirect_uri". For instance, a client app could use the "mailto:";
scheme to instruct the Authorization Endpoint to send the code via
email. I know that a naive implementation can be subject to fixation
attacks, however
a) Weren't these scenarios considered by the working group?
b) Is there a major security flaw on this usage?
What address should the authorization server send an e-mail to and how
would the app acquire this code?
regards,
Torsten.
Thanks
Pedro
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
