Howard, As far as I can tell this article is a complete FUD.
What it is saying is that someone could use the redirect URL part of the OAuth 2.0 cycle to redirect you to some place else. This is the same thing as opening any phishing site. If you open a website, click for example "Login with Facebook" and click OK for all the permission requests, you're giving away that information to the site. There is no real limit to what it can do with that info. If the "Login with Facebook" (or any other OAuth 2.0 button) has been tampered or fiddled with by someone with bad intentions so that it redirects to some evil site and steal if your info this is not a flaw in OAuth 2.0, this is how the web works. The thing is that people will give their access to their personal information freely without thinking about the consequences. Next time some site is asking for access to all your profile information, plus your friends, plus your contacts, plus everything, you should think why does this site needs this information?! People often just click "Allow" without thinking. This was all solved by Mozilla with Persona Login system that shared no information besides attesting that someone was really someone. Unfortunately and probably because it would not allow profile information to go thru and was minimal and federated, it never saw strong adoption to the point where its on community maintenance mode. I still use it everyday to log into Mozilla properties such as our Bugzilla. Cheers On Mon, May 5, 2014 at 8:49 PM, Howard Bornstein <bornst...@designeq.com>wrote: > And of course, there's this: > > > http://lifehacker.com/security-flaw-found-in-oauth-and-openid-heres-what-it-1570872265 > > > On Mon, May 5, 2014 at 2:00 PM, Dar Scott <d...@swcp.com> wrote: > > > I’ve created an OAuth 1 in the past for Evernote all in LiveCode plus the > > favorite browser. So, it can be done, but I won’t say it is not hard. > > > > I did run into some OAuth 2 problems with a kiosk that connected to > > ConstantContact and used an alternate security. Those problems were > > related to the kiosk environment and the management console. In that > one, > > I ended up using an alternative scheme. > > > > Dar Scott > > Controls, Libraries and Externals > > > > > > > > > > On May 5, 2014, at 9:21 AM, Andre Garzia <an...@andregarzia.com> wrote: > > > > > OAuth 1.0 and 1.0a sucks! Horrible specs and hard to implement. On the > > > other hand OAuth 2.0 is quite easy to implement. I've did that for > > Facebook > > > Lib. Does the API you need has an OAuth 2.0 endpoint? > > > > > > > > > On Mon, May 5, 2014 at 9:36 AM, Monk in Exile <david.bov...@gmail.com > > >wrote: > > > > > >> Any updates on this - I've got a bunch of stuff that needs oAuth in > > various > > >> flavours. > > >> > > >> > > >> On 1 February 2014 04:36, Phil Davis <rev...@pdslabs.net> wrote: > > >> > > >>> Hi Geoff, > > >>> > > >>> I'm currently working on a Vimeo code lib that includes Vimeo's OAuth > > >> 1.0a > > >>> implementation to the extent it's needed for logging in and using > parts > > >> of > > >>> their Advanced API. ( https://developer.vimeo.com/apis/advanced ) > > >>> > > >>> I know Andre had hopes of creating a more generalized OAuth lib in > the > > >>> past, but I don't know if he plans to finish it. That's everything I > > know > > >>> about the subject. > > >>> > > >>> Phil Davis > > >>> > > >>> > > >>> > > >>> On 1/31/14, 7:14 PM, Geoff Canyon wrote: > > >>> > > >>>> I see references online to various efforts toward this, but I don't > > >>>> see any actual working code. Am I missing it? > > >>>> > > >>>> _______________________________________________ > > >>>> use-livecode mailing list > > >>>> use-livecode@lists.runrev.com > > >>>> Please visit this url to subscribe, unsubscribe and manage your > > >>>> subscription preferences: > > >>>> http://lists.runrev.com/mailman/listinfo/use-livecode > > >>>> > > >>>> > > >>> -- > > >>> Phil Davis > > >>> > > >>> > > >>> > > >>> _______________________________________________ > > >>> use-livecode mailing list > > >>> use-livecode@lists.runrev.com > > >>> Please visit this url to subscribe, unsubscribe and manage your > > >>> subscription preferences: > > >>> http://lists.runrev.com/mailman/listinfo/use-livecode > > >>> > > >> _______________________________________________ > > >> use-livecode mailing list > > >> use-livecode@lists.runrev.com > > >> Please visit this url to subscribe, unsubscribe and manage your > > >> subscription preferences: > > >> http://lists.runrev.com/mailman/listinfo/use-livecode > > >> > > > > > > > > > > > > -- > > > http://www.andregarzia.com -- All We Do Is Code. > > > http://fon.nu -- minimalist url shortening service. > > > _______________________________________________ > > > use-livecode mailing list > > > use-livecode@lists.runrev.com > > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > > _______________________________________________ > > use-livecode mailing list > > use-livecode@lists.runrev.com > > Please visit this url to subscribe, unsubscribe and manage your > > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > > -- > Regards, > > Howard Bornstein > ----------------------- > www.designeq.com > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > -- http://www.andregarzia.com -- All We Do Is Code. http://fon.nu -- minimalist url shortening service. _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
