accidentally misuse insecurely.
>
> --
> James Manger
>
>
> From: Nat Sakimura [mailto:n-sakim...@nri.co.jp]
> Sent: Thursday, 28 January 2016 3:02 PM
> To: Manger, James ; oauth@ietf.org
> Subject: RE: [OAUTH-WG] oauth-meta: turi allows user to mislead app
>
>
That feel
much harder for apps or servers to accidentally misuse insecurely.
--
James Manger
From: Nat Sakimura [mailto:n-sakim...@nri.co.jp]
Sent: Thursday, 28 January 2016 3:02 PM
To: Manger, James ; oauth@ietf.org
Subject: RE: [OAUTH-WG] oauth-meta: turi allows user to mislead app
Hi James,
Right.
only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Manger, James
Sent: Thursday, January 28, 2016 11:38 AM
To: oauth@ietf.org
Subject: [OAUTH-WG] oauth-meta: turi allows user to mislead app
The
The OAuth-Meta draft returns the token endpoint
(in a "turi" query parameter) when redirecting a user from the authorization
endpoint back to an app. The app presumably then POSTs the "code" (also in the
redirect) to "turi" to get an access token. However, apps typically send their
client_secr
