On Thu, Apr 23, 2009 at 5:57 PM, Dossy Shiobara <do...@panoptic.com> wrote: > Alice (attacker) and Bob (victim).
<snip concise explanation of attack> The current version of the protocol is susceptible to a very similar attack for web applications, which is why people are so upset and working on a fix. For desktop apps, it's hard to do better, and even once we have a fix for web apps it's likely that people will keep using OAuth 1.0 for some desktop apps. There are a few options. 1) Keep using OAuth 1.0. SPs can tell users that they are authorizing an application on their desktop. There is some risk of social engineering as you describe, but hopefully the language on service provider pages mentioning desktop applications will help. 2) Callback token displayed on page. SPs can display a callback token, which the user will manually enter into their desktop application. This is not a good user experience, but provides better security than option 1. 3) Callback token sent to desktop app. There are a bunch of ways to get a callback token to a desktop app automatically, most of them mentioned earlier in this thread. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---