On 4/28/09 12:33 AM, Josh Roesslein wrote: > > Couldn't we verify the user on the consumer-side during the callback URL > redirect (user returning from SP after authorization)? > This callback URL has two pieces of data: > - Callback secrete: generated by SP after user authorizes consumer > - Request token: publicly known, so could be forged by attacker
If and only if the callback URL is protected from tampering. Since we cannot guarantee the consumer secret and request token secret to be ... well, secret ... there's no way to guarantee in ALL cases that the callback URL will be protected from tampering. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---