What about trying to swap a Request Token to a Access Token, but the verifier code is wrong.
Does that invalidate the Request Token, or does it just fail and wait for a new request with the correct verifier code? If it doesn't invalidate the Request Token, couldn't an attacker to try all options for verifier codes? If the Request Token is requested with an OOB callback, the verifier will usually be sort so people don't have to manually enter a long string. Regards Morten Fangel On Jun 7, 2009, at 7:17 AM, Eran Hammer-Lahav wrote: > It means that once an Access Token was given using a Request Token, > that Request Token must not be used again – it is invalidated. > > EHL > > > On 6/6/09 9:45 PM, "Andrew Arnott" <andrewarn...@gmail.com> wrote: > > In section 6 of the OAuth spec (either 1.0 or 1.0a versions -- > they're the same here), I see the following: > > Request Token:Used by the Consumer to ask the User to authorize > access to the Protected Resources. The User-authorized Request Token > is exchanged for an Access Token, MUST only be used once, and MUST > NOT be used for any other purpose. It is RECOMMENDED that Request > Tokens have a limited lifetime. > > I'm wondering what this "MUST only be used once" is intended to > limit. Is it sufficiently compliant to say that the SP will only > ever give out the Access Token for a given request token once? Or > does it mean that a desktop consumer app cannot keep polling the > server with its request token until it finally gets an access token > when the user finishes authorizing the request token? > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the > death your right to say it." - S. G. Tallentyre > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
