Manish, The callback matters when you combine it with the use of single use tokens. If an attacker can change the callback he can prevent the honest application from asking for the token upgrade first and locking him out. The callback gives the attacker a way to know the precise moment that the authentication has been granted and the token exchange can be made.
Make sense? Josh On Apr 24, 12:43 am, Manish Pandit <pandit.man...@gmail.com> wrote: > On Apr 23, 11:04 pm, Josh Fraser <joshf...@gmail.com> wrote: > > > Leah, > > > > * > > > 2. No callback request parameter > > > * > > > What if we make the callback optional? Consumers can either: > > > a) leave it out altogether in which case the registered callback will > > be used, or > > b) include it, in which case it must be included in the signature > > I am still not sure what role the callback is playing in this (maybe > I'm too slow). Per my understanding, even if there was no callback > from the provider to the consumer, this vector would work anyway. The > identity provider has linked the request token with an identity upon > the user's post login confirmation, and any request coming in to > exchange that request token for an access token should be honored as > long as request token does not time out. This timeout too can be at 2 > levels. For instance - T1 = request token issued, T2 = request token > associated with an indentity T3 = request token used to an access > token. So the 2 timeouts can be T2-T1 and T3-T2. > > Like the folks on earlier posts noted, the timeout does not fix the > issue but reduces the window of vulnerability. I am out of ideas for > now though :( > > -cheers, > Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
