Eran Hammer-Lahav
[mailto:e...@hueniverse.com]<mailto:[mailto:e...@hueniverse.com]>
Gesendet: Mittwoch, 17. August 2011 08:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
> 10.6. Authorization Code Leakage: Comment "I fancy myself as being
>
the title sound
bit weird to me. Why not "authorization code phishing"?
regards,
Torsten.
Von: Eran Hammer-Lahav
[mailto:e...@hueniverse.com]<mailto:[mailto:e...@hueniverse.com]>
Gesendet: Mittwoch, 17. August 2011 08:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage
8:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
> 10.6. Authorization Code Leakage: Comment "I fancy myself as being
> reasonably intelligent and I'm unclear what attack is actually being described
> here."
Yeah... I had to go back t
eird to me. Why not "authorization code phishing"?
regards,
Torsten.
Von: Eran Hammer-Lahav
[mailto:e...@hueniverse.com]<mailto:[mailto:e...@hueniverse.com]>
Gesendet: Mittwoch, 17. August 2011 08:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Golan
y not "authorization code phishing"?
regards,
Torsten.
Von: Eran Hammer-Lahav [mailto:e...@hueniverse.com]
Gesendet: Mittwoch, 17. August 2011 08:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
> 10.6. Authorization Code Leakage: Comment "
Noticed this follow up question after I sent this:
> 10.6. Authorization Code Leakage: Comment on "The authorization server
> SHOULD require the client to register their redirection URI": "Why is this a
> should?"
Because comparing the redirect_uri value used between the two calls
(authorization
> 10.6. Authorization Code Leakage: Comment "I fancy myself as being
> reasonably intelligent and I'm unclear what attack is actually being described
> here."
Yeah... I had to go back to -16 to be reminded of the section original title
'session fixation attack' to figure out what this was abo
