Hi Francisco,
>> Q. Should an OAuth client app list the authorization server
>> in the Origin header of requests to resource servers?
>>
>> In OAuth (delegation) flows a server dynamically issues
>> credentials (such as a bearer token) to a client app to use
>> in subsequent HTTP requests t
Torsten Lodderstedt said: "I would expect the token to carry information about
its issuer. Would this be sufficient in order to detect CSRF?"
No.
A Login CSRF attack involves a legitimate token (listing the legitimate issuer)
that an attacker received being given to a victim client. The client
To clarify a bit in terms of of the flexibility I mention being gained
by keeping a body hash filed in the headers and for constructing the
signature - I'm imagining myself implementing 2 layers of servers for
handling the upload and processing of large files.
The public facing server (e.g. a load
Dear Mr. Hammer-Lahav
regarding http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-02
I was quite happy to find this, since I had overlooked it before and
it define the sort of robust HMAC-based auth we have been using for
our APIs in various forms, but has the advantage of being a standa
Am 26.02.2011 17:49, schrieb Eran Hammer-Lahav:
I think you are making too much of this.
glad to hear :-) I just want to make sure native apps are OAuth 1st
class citizens. The aibility to issue refresh tokens to such clients is
a key feature, which is by no meaning an exception. Even if they
