So you assume to use resource owner's address? Regards, Torsten.
Pedro Felix <pmhsfe...@gmail.com> schrieb: > > >> Hi Pedro, >> >> Am 10.10.2012 16:25, schrieb Pedro Felix: >>> 1) Out-of-band code transmission >>> >>> Currently Google OAuth2 implementation uses the special >"urn:ietf:wg:oauth:2.0:oob" to signal the Authorization Endpoint to >return an HTML page with the code, instead of a redirect. At first >sight, it seems a good idea, however it isn't in the OAuth 2 RFC. >>> a) What is the reason for the absence in the spec? >>> b) Is there any security problem associated with this usage? >>> >>> 2) Alternative "redirect_uri" schemes >>> >>> I'm also considering the use of alternative schemes on the >"redirect_uri". For instance, a client app could use the "mailto:"; >scheme to instruct the Authorization Endpoint to send the code via >email. I know that a naive implementation can be subject to fixation >attacks, however >>> a) Weren't these scenarios considered by the working group? >>> b) Is there a major security flaw on this usage? >> >> What address should the authorization server send an e-mail to and >how would the app acquire this code? >> >> regards, >> Torsten. >The email address would be in the redirect_uri; the code would be >inserted into the client app explicitly by the user, after receiving >it. > >Thanks >Pedro > > >>> >>> Thanks >>> Pedro >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
