The client could just add another random string with every authorization request.
Regards, Torsten. Gesendet mit BlackBerry® Webmail von Telekom Deutschland -----Original Message----- From: Francisco Corella <fcore...@pomcor.com> Date: Tue, 4 Jan 2011 17:26:42 To: Torsten Lodderstedt<tors...@lodderstedt.net> Reply-To: fcore...@pomcor.com Cc: <oauth@ietf.org>; Karen P. Lewison<kplewi...@pomcor.com> Subject: Re: [OAUTH-WG] TLS is needed for redirecting back to the client --- On Tue, 1/4/11, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > the attack you described sounds very similar to session > fixation attacks. TLS (more specifically server > authentication) is one way to cope with spoofing in general > (supposed the client has a reasonably CA policy). So it > should do in this case, too. Yes, TLS is the solution for both variants of the attack. > Validation of the redirect_uri associated with a particular > authorization code on the tokens endpoint is another way to > detect/prevent such an attack. Supposed the attacker has to > inject the tapped authorization code into the client > application during a second authorization flow. If the > client uses different redirect_uri's for every flow, the > attempt to inject the code can be detected. This I don't understand. The redirect_uri is alwasy the same... Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
