On 2010-06-14, at 9:41 PM, Evan Gilbert wrote: > > If a response from the AS is untrusted, there are much bigger issues at > stake. ... or am I missing an obvious attack where random JSON would get sent > to the Client? > > For the web server flow, you know the AS server you called and can reasonably > trust the data. > > For the user agent flow, attackers can create a URL with data and send it to > you. This is OK (kind of) if the data is limited to an access token - this > would allow an attacker to grant you access to their protected resources, > which only has problems if you accidentally send protected data in an update > to that account. But if you have other parameters that need to be vouched for > by the AS, then it is insecure.
Understood. I have concerns about JSON in the user agent flow. My original JSON proposal was using JSON in the response for direct calls only. -- Dick
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
