Marius, did you have an alternative to suggest for this?
Not that it has to be in the spec, but it would be nice to have a best practice
for this as it's a common case.
> On Fri, Jan 28, 2011 at 10:25 AM, Eran Hammer-Lahav
> wrote:
> > -12 3.1.1:
> >
> > The redirection URI MUST be an absol
Huilan,
In the context of the OAuth protocol, can you describe how an innocent
user can cause the right context and state to be established, and why a
DDoS attacker can't accomplish the same, without making assumption on
additional security measures that are not mandated or recommended by the
The title of the message might have been misleading ('cause it had 12
in it) but http://www.ietf.org/mail-archive/web/oauth/current/msg05551.html
applies to -13 and, while it's minor, I'd like to see it addressed in
future drafts. Thanks.
On Fri, Mar 4, 2011 at 1:13 PM, Eran Hammer-Lahav wrote:
Ready to go.
EHL
> -Original Message-
> From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf
> Of Hannes Tschofenig
> Sent: Tuesday, March 01, 2011 11:32 PM
> To: OAuth WG
> Subject: [OAUTH-WG] WGLC on draft-ietf-oauth-v2-13.txt
>
> This is a Last Call for comments on
>
Eric,
I'm confused. I didn't talk about an attacker impersonating Rob. At any rate,
inasmuch as we are back to square one, I would maintain that receipt of an
authorization code by the client alone is not sufficient for causing it to
issue an access token request to the authorization server. T
