I'm going to add text warning about third-party scripts included on the redirection URI endpoint.
The right solution here is to make sure no script is executed before the client code gets hold of the access token and hides it. Ideally, the landing page does not include any third party scripts, and those included should know better than to include the fragment which in today's web applications are heavily used to manage internal state, not to anchor a part of the document. EHL From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Kushal Dave Sent: Wednesday, July 06, 2011 1:08 PM To: oauth@ietf.org Subject: [OAUTH-WG] Concerns about Implicit Grant flow Hello! Foursquare recently encountered a scary example of a client accidentally leaking user tokens as part of the implicit grant flow. It turns out the official "Tweet this" button provided by twitter grabs the URL, including fragment, at the time of page load, before the client's Javascript has had a chance to elide the access_token hash value. And it's easy to imagine lots of other sharing and analytics tools could be similarly aggressive in transmitting hash values outside of the page. We've thought a lot about what to do about this, short of disabling the flow entirely. One thing that seems viable is to make the "access token" in this flow actually a one-time use token. The requesting page would then make a JSONP request exchanging the one-time use token for a permanent token that is never visible in the URL. Has this come up? Have you had any feedback from other implementors? We're not excited about such a blatant deviation from the spec, but we're not sure what else to do. Cheers, Kushal
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
