On Tue, Jun 8, 2010 at 10:40 AM, Chuck Mortimore <cmortim...@salesforce.com> wrote: > Thanks – I get your line of reasoning now. I believe it would still help > in preventing certain types of attack. These are especially apparent > around immediate.
I do agree that requiring registration may be a good idea in many cases, all I am saying is that this should not be enforced. Some authz servers may want to allow unregistered clients, and that's fine. I think the current SHOULD is good enough and changing it to MUST would be going too far. > 1) User initially grants access to example.com > 2) User goes to an evil site > 3) Without the user’s knowledge, the malicious site issues an immediate > user_agent flow > > https://authzserver.com/authorize?type=user_agent&immediate=true&client_id=<Example.com’s > Client ID>&redirect_uri=<Evil URL> > > 4) Evil site is handed an access token based upon the previous grant to > example.com I don't think this attack will work. If exmple.com was not registered, then it has not client_id, so the previous approval should be remembered for example.com's redirect_uri. Evil site needs to use its own redirect_uri, so immediate will not work. Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth