How shall the authorization server ensure that the calling client is a user-agent based app (i.e. a native app could impersonate an user-agent based app)?
In my opinion, enforcing explicit user consent is the only way to prevent this kind of attack. regards, Torsten. > -----Ursprüngliche Nachricht----- > Von: Marius Scurtescu [mailto:mscurte...@google.com] > Gesendet: Mittwoch, 11. Mai 2011 20:28 > An: Lodderstedt, Torsten > Cc: oauth@ietf.org; Doug Tangren > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience > > On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten > <t.lodderst...@telekom.de> wrote: > > Hi Marius, > > > > wrt "auto-approval": how is the authorization server supposed to > validated the client's identity in a reliable way? Otherwise another > application (using the id of the legitimate client) could abuse the > authorization previously approved by the user as long as the session > with the authorization server is valid. The redirect_uri won't help for > all kinds of clients since a native app could use the correct > redirect_uri and nevertheless get access to the token. > > The only validation is based on the redirect URI. Native apps should > not use the implicit flow, and in general there is no need for > auto-approval for them. > > Marius _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
