> Hi Pedro, > > Am 10.10.2012 16:25, schrieb Pedro Felix: >> 1) Out-of-band code transmission >> >> Currently Google OAuth2 implementation uses the special >> "urn:ietf:wg:oauth:2.0:oob" to signal the Authorization Endpoint to return >> an HTML page with the code, instead of a redirect. At first sight, it seems >> a good idea, however it isn't in the OAuth 2 RFC. >> a) What is the reason for the absence in the spec? >> b) Is there any security problem associated with this usage? >> >> 2) Alternative "redirect_uri" schemes >> >> I'm also considering the use of alternative schemes on the "redirect_uri". >> For instance, a client app could use the "mailto:"; scheme to instruct the >> Authorization Endpoint to send the code via email. I know that a naive >> implementation can be subject to fixation attacks, however >> a) Weren't these scenarios considered by the working group? >> b) Is there a major security flaw on this usage? > > What address should the authorization server send an e-mail to and how would > the app acquire this code? > > regards, > Torsten. The email address would be in the redirect_uri; the code would be inserted into the client app explicitly by the user, after receiving it.
Thanks Pedro >> >> Thanks >> Pedro >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
