On Mon, Apr 27, 2009 at 3:29 AM, Peter Keane <pjke...@gmail.com> wrote: >> b) that's what the unpredictable callback token is for. > > Does that demonstrate it is the same user? I believe it makes it > highly likely, but not "verifyable" (in standard authentication terms. > Nothing is 100% verifyable).
It's the union of a)+b) that makes it possible to demonstrate that it's the same user under reasonable assumptions for "reasonable assumptions" i mean conditions which would void the whole protocol security if false e.g. that the attacker is not able to intercept the user's communication with the SP or the Consumer or that the user doesn't fall for a phishing attack on the Consumer or the SP ... > The wiki page states 6.8: "The Service Provider MUST check that the > OAuth verifier was originally issued for the OAuth consumer key and > request token." But in the described exploit, the attacker has both > the consumer key AND request token. but if the attacker is not able to change the callback then it's not possible for the attacker to grab the callback token (i.e. the "OAuth verifier") which is necessary to complete the authorization exchange at the consumer. > I would note -- a requirement that the SP keeps a store of the > unpredictable callback token (assuming user identifier is mixed in) > and checks it before granting the access token DOES make this > "verifyably" the same user. this is exactly what step 6.8 means: to be able to "check that the OAuth verifier was originally issued for the OAuth consumer key and request token" the SP will need to store it alongside the request token (N.B. step 6 "Obtaining an Access Token" is executed by the Consumer). Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
