I agree. "The Request Token has never been exchanged for an Access Token." isn't explicitly saying one-time only token, but I believe that is what was intended. Clarifying this line would be sufficient as would requiring the Service Provider log the User out after any request token attempt. This forces the User to login to the Service Provider to start the process of requesting access all over.
On Apr 28, 3:13 pm, Leah Culver <leah.cul...@gmail.com> wrote: > Actually, I think it's a pretty small change to the spec. > > In section 6.3.2 Service Provider Grants an Access Token > (http://oauth.net/core/1.0/#auth_step3), it says: > > The Service Provider MUST ensure that: > > - The request signature has been successfully verified. > - The Request Token has never been exchanged for an Access Token. > - The Request Token matches the Consumer Key. > > ... > If the request fails verification or is rejected for other reasons, the > Service Provider SHOULD respond with the appropriate response code as > defined in HTTP Response Codes (HTTP Response > Codes)<http://oauth.net/core/1.0/#http_codes> > . > > Perhaps an updated version could say something like (changes in red): > > The Service Provider MUST ensure that: > > - The request signature has been successfully verified. > - The Request Token has never been exchanged for an Access Token. > - There have been no prior attempts to exchange this Request Token for an > Access Token. > - The Request Token matches the Consumer Key. > > ... > If the request fails verification or is rejected for other reasons, the > Service Provider SHOULD invalidate or delete the request token and respond > with the appropriate response code as defined in HTTP Response Codes (HTTP > Response Codes) <http://oauth.net/core/1.0/#http_codes>. > > On Tue, Apr 28, 2009 at 3:02 PM, Leah Culver <leah.cul...@gmail.com> wrote: > > > Hmm... I feel like this has been lost in all the hubbub about > > callbacks. > > > I strongly advocate saying something in the spec about making the > > token exchange (access token endpoint) one-time use only. > > > By one-time only, I mean that the first time there is an attempt to > > exchange a request token for an access token, if the request token has > > not been authorized, then that request token should be marked as > > invalid. This will make a session fixation attack nearly impossible > > without a callback. > > > If a service provider allows multiple attempts to exchange the request > > token a callback is not even necessary for the attack to work! The > > attacker must only keep trying to exchange the token. > > > I know it's up to the service provider to implement one-time only > > token exchange, but putting it in the documentation (and libraries) > > will make it much easier for service providers to do the right thing. > > > Am I missing the discussion about this? Is it on the wiki and I just > > can't find it? Or is everyone in agreement that this should be added > > to the docs? > > > Thanks, > > Leah > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
