On Sun, Apr 26, 2009 at 11:14 AM, Dossy Shiobara <do...@panoptic.com> wrote: >> Open questions: >> >> 1. Am I missing a completely different alternative? If yes, please >> create a new wiki page and point to it (if you don't have access ask >> or email it to someone who does). > > Requiring SP to authenticate user _before_ the request token request, > returnin an identity token to the consumer which is then required as > part of the request token request. This way, an attacker can't generate > a request token that can be authorized by another user.
My initial reaction to this proposal is that the "identity token" is essentially the same as the callback token moved to an earlier step in the protocol. It's probably not insecure, but it adds at least one additional round trip from browser to service provider. If I've misunderstood, would you mind describing this in a bit more detail so we know exactly what we're commenting on? Something with roughly the same level of detail as in https://oauth.pbwiki.com/Signed-Callback-URLs would be good. There are also a number of questions that we should ask about about new protocol. They are included in this doc: https://oauth.pbwiki.com/OAuth-Session-Fixation-Advisory. Can you start filling out that checklist for your proposed protocol so we are doing an apples-to-apples comparison? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---