On Tue, Apr 28, 2009 at 1:12 PM, Brian Eaton <bea...@google.com> wrote:
> > For apps that can't receive callback URLs, you need a PIN. > Yes we will need to manually pass the callback secrete to the application (aka the pin). I think the solution of signed callbacks w/ a callback secrete adequately closes the security hole while not drastically changing the protocol or the user experience. In fact the user won't even be aware of any of these changes unless the application required the transfer of the pin (the callback secrete). Before all they had to do is notify the application. This solution is quick to implement and can be deployed in a timely matter to close this session fixation flaw. We can continue working on a future spec that can change the flow some more or add additional security, but for now we should focus on the current security threat. Tackle one issue at a time. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---