Thanks Manish, this was helpful.
On Jun 25, 10:21 pm, Manish Pandit <pandit.man...@gmail.com> wrote:
> On Jun 25, 5:54 am, Monis <monisiq...@gmail.com> wrote:
>
> > Can anyone please respond to this?
>
> > Thanks,
> > Monis
>
> The spec does not provide details on the registration (and it should
> not). So what fields are needed by the consumer to register on an SP
> are driven by the SP and not by the spec. Yes, callback URL, or
> callback domain can be one of the fields but the spec cannot and
> should not assume that anyway. Should you choose, you may not want to
> register the URL with the consumer info, or you may store the URL and
> then verify if it is the same as the one provided during
> registration.
>
> The callback does not "eliminate" the session fixation attack per se -
> it does help to temper-proof the callback. In other words, a hacker
> cannot change the callback and hijack the session without knowing the
> signature (it is a signed request). Also, if the callback is "oob",
> then the consumer needs to have the user enter a "verifier code"
> manually before proceeding to request an access token. This is where
> the flow changes between a real callback vs. an oob (out of band)
> callback. The session fixation attack can be fixed only when the
> consumer does not do early binding. You can search on this group as
> there have been a lot of discussion around early vs. late binding. It
> is beyond the provider's control IMO.
>
> Hope this helps!
>
> -cheers,
> Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
