On Thu, Apr 23, 2009 at 5:57 PM, Dossy Shiobara <do...@panoptic.com> wrote:
> Alice (attacker) and Bob (victim).
<snip concise explanation of attack>
The current version of the protocol is susceptible to a very similar
attack for web applications, which is why people are so upset and
working on a fix.
For desktop apps, it's hard to do better, and even once we have a fix
for web apps it's likely that people will keep using OAuth 1.0 for
some desktop apps. There are a few options.
1) Keep using OAuth 1.0.
SPs can tell users that they are authorizing an application on
their desktop. There is some risk of social engineering as you
describe, but hopefully the language on service provider pages
mentioning desktop applications will help.
2) Callback token displayed on page.
SPs can display a callback token, which the user will manually
enter into their desktop application. This is not a good user
experience, but provides better security than option 1.
3) Callback token sent to desktop app.
There are a bunch of ways to get a callback token to a desktop app
automatically, most of them mentioned earlier in this thread.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
