On Tue, Apr 28, 2009 at 4:32 PM, Dossy Shiobara <do...@panoptic.com> wrote: > > On 4/28/09 8:41 AM, Hubert Le Van Gong wrote: >> I also saw 2 additional ideas that might help >> (and are not necessarily exclusive with the 2 proposals): >> >> (3) Make Request tokens one-time only >> (4) Request that the user logs in at the Consumer before the request >> token request > > Requiring the user authenticate to the Consumer doesn't prevent the > attack, as the attacker is a legitimate user of Consumer in the attack > scenario. > > What I keep proposing is that the user must authenticate at the > _Provider_ before the request token request. This would completely > eliminate the attack in the scenario. > > And yes, making request tokens one-time only is a MUST, IMHO. >
Ah yes, that's what I meant: the user authenticates at the Provider before the token request is issued - sorry, getting old :) Sounds like a valid option to me. Is the reason for *discarding* this solution the fact that it's an additional roundtrip in the flow (or put another way it's too big a change to the current protocol)? Cheers, Hubert --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---