Re: [OAUTH-WG] oauth2 implicit flow user experience

Wed, 11 May 2011 12:08:13 -0700 

On Wed, May 11, 2011 at 11:44 AM, Lodderstedt, Torsten <
t.lodderst...@telekom.de> wrote:

> How shall the authorization server ensure that the calling client is a
> user-agent based app (i.e. a native app could impersonate an user-agent
> based app)?
>
> In my opinion, enforcing explicit user consent is the only way to prevent
> this kind of attack.
>

Native apps will require access to shared OS resources to retrieve the
access token if the redirect URI is a web location registered with the
proper web client.

If the Native app has such access, the native app can do far more
interesting things to compromise the users credentials directly.

No amount of protocol sophistication can address this.


>
> regards,
> Torsten.
>
> > -----Ursprüngliche Nachricht-----
> > Von: Marius Scurtescu [mailto:mscurte...@google.com]
> > Gesendet: Mittwoch, 11. Mai 2011 20:28
> > An: Lodderstedt, Torsten
> > Cc: oauth@ietf.org; Doug Tangren
> > Betreff: Re: [OAUTH-WG] oauth2 implicit flow user experience
> >
> > On Tue, May 10, 2011 at 4:43 PM, Lodderstedt, Torsten
> > <t.lodderst...@telekom.de> wrote:
> > > Hi Marius,
> > >
> > > wrt "auto-approval": how is the authorization server supposed to
> > validated the client's identity in a reliable way? Otherwise another
> > application (using the id of the legitimate client) could abuse the
> > authorization previously approved by the user as long as the session
> > with the authorization server is valid. The redirect_uri won't help for
> > all kinds of clients since a native app could use the correct
> > redirect_uri and nevertheless get access to the token.
> >
> > The only validation is based on the redirect URI. Native apps should
> > not use the implicit flow, and in general there is no need for
> > auto-approval for them.
> >
> > Marius
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Breno de Medeiros

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to