On Mon, Apr 27, 2009 at 1:11 AM, Luca Mearelli <luca.meare...@gmail.com> wrote: > > On Mon, Apr 27, 2009 at 3:29 AM, Peter Keane <pjke...@gmail.com> wrote: >>> b) that's what the unpredictable callback token is for. >> >> Does that demonstrate it is the same user? I believe it makes it >> highly likely, but not "verifyable" (in standard authentication terms. >> Nothing is 100% verifyable). > > It's the union of a)+b) that makes it possible to demonstrate that > it's the same user under reasonable assumptions
You are certainly correct on this. My concern (perhaps unfounded) is that a couple weeks ago we said that same thing about OAuth 1.0. I cannot imagine an exploit that would work but I suspect one might be formulated (i.e., it's theoretically possible). > > for "reasonable assumptions" i mean conditions which would void the > whole protocol security if false e.g. that the attacker is not able to > intercept the user's communication with the SP or the Consumer or that > the user doesn't fall for a phishing attack on the Consumer or the SP > ... > >> The wiki page states 6.8: "The Service Provider MUST check that the >> OAuth verifier was originally issued for the OAuth consumer key and >> request token." But in the described exploit, the attacker has both >> the consumer key AND request token. > > but if the attacker is not able to change the callback then it's not > possible for the attacker to grab the callback token (i.e. the "OAuth > verifier") which is necessary to complete the authorization exchange > at the consumer. > >> I would note -- a requirement that the SP keeps a store of the >> unpredictable callback token (assuming user identifier is mixed in) >> and checks it before granting the access token DOES make this >> "verifyably" the same user. > > this is exactly what step 6.8 means: to be able to "check that the > OAuth verifier was originally issued for the OAuth consumer key and > request token" the SP will need to store it alongside the request > token (N.B. step 6 "Obtaining an Access Token" is executed by the > Consumer). > Sorry -- yes, that was a mistake on my part. > > Luca > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---