Re: [OAUTH-WG] Auth Code Swap Attack

That's what we are saying. Not sure what exactly are you arguing against now. EHL From: Anthony Nadalin [mailto:tony...@microsoft.com] Sent: Monday, August 22, 2011 2:59 PM To: Eran Hammer-Lahav; Phil Hunt Cc: OAuth WG (oauth@ietf.org) Subject: RE: [OAUTH-WG] Auth Code Swap Attack Concern here i

Re: [OAUTH-WG] Auth Code Swap Attack

Concern here is we have a protocol that is open to attacks, we need to document a way that developers can safely implement, leaving it up to the developer may not be the best way unless they know what they are doing, so more in favor of recommending the use of state and if the developer can do

Re: [OAUTH-WG] Auth Code Swap Attack

Sounds like a good compromise. I will play with the text Bill proposed and follow up with new text on the list. EHL From: Phil Hunt mailto:phil.h...@oracle.com>> Date: Mon, 22 Aug 2011 08:57:54 -0700 To: Eran Hammer-lahav mailto:e...@hueniverse.com>> Cc: "record...@gmail.com

Re: [OAUTH-WG] OMA Liaison Has Arrived! scope-v

> +1 for Jame's feedback here.  We need to solve this. I have opened an issue in the tracker on this: http://trac.tools.ietf.org/wg/oauth/trac/ticket/26 I intend to add the following to the response to this item: "The working group understands that client code needs to know whether to use and dec

[OAUTH-WG] [oauth] #26: scope-v percent-encoding

#26: scope-v percent-encoding See discussion thread beginning here: http://www.ietf.org/mail-archive/web/oauth/current/msg07310.html This was triggered by the OMA liaison statement, and the WG response to it. << A client app receiving a scope value in an "WWW-Authenticate: Bearer scope=..."

Re: [OAUTH-WG] Auth Code Swap Attack

Eran, to summarize, 1. The server cannot tell if the client did its job - so the server can't "require" the client to implement state 2. There are many ways to enforce CSRF There is an important "network" effect here (and in general with OAuth) - that client decisions affect the security of th