On Mar 1, 2013, at 4:00 PM, prateek mishra wrote:
Yup, use of confidential clients and full checking of redirect URIs
would mitigate these attacks.
I think there is an issue of providing guidance to
developers/deployers, about making secure choices, that needs to be
addressed someplace. A test suite
would also be a good complement to a document.
do you mean having a TCK for OAuth 2.0?
Yes, that is the general direction I was thinking of but in a language
independent format.
An example is the XACML 2.0 conformance suite:
https://www.oasis-open.org/committees/download.php/14846/xacml2.0-ct-v.0.4.zip
Of course, testing AS and RS would involve network exchanges, so it
would be a bit more involved...
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
