Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

2012-02-24 Thread Dan Taflin
Thereby depriving the client of visibility on the social network. Yes, this is a hack, by the user, against the client, and there is material harm. The user is getting something without giving the client what was originally promised. Of course, the client will quickly discover the hack, and

Re: [OAUTH-WG] Fwd: Re: Mandatory-to-implement token type

2011-12-02 Thread Dan Taflin
+1 I agree with Andre and Stephen and others who argued against an MTI token type. As an architect of a (soon-to-be) oauth server I can state that we will almost certainly support bearer token only, and that we will be writing the code ourselves, not using a library. I don’t really see how a

Re: [OAUTH-WG] questions about implicit grant

2011-11-15 Thread Dan Taflin
I’ve spent the last couple months trying to answer this question myself (even posted on Stack Overflow, http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2), and here’s the best answer I can come up with: it’s a great solution for

Re: [OAUTH-WG] Security Considerations - Access Tokens

2011-10-31 Thread Dan Taflin
To be consistent, section 10.3 should probably specify that the requirement of confidentiality in transit applies specifically to BEARER tokens. I would like to see this relaxed further though, as I argued last week, to accommodate situations where a token is scoped to a limited set of data

Re: [OAUTH-WG] Returning two tokens. Was: Re: Rechartering

2011-10-26 Thread Dan Taflin
...@veznat.com] Sent: Tuesday, October 25, 2011 8:41 PM To: Dave Rochwerger Cc: Dan Taflin; OAuth WG Subject: Returning two tokens. Was: Re: [OAUTH-WG] Rechartering I'm going to reiterate what has already been said. OAuth already supports what you're trying to do. Just request a token twice, the first time

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dan Taflin
I would like to second Torsten's pitch for the ability to return multiple access tokens with a single authorization process. The use case for my company is to segment operations into two main categories: protected and confidential. (A possible third category, public, would not require any

Re: [OAUTH-WG] Rechartering

2011-10-25 Thread Dan Taflin
like to see this relaxed somewhat. Dan From: Dave Rochwerger [mailto:da...@quizlet.com] Sent: Tuesday, October 25, 2011 4:08 PM To: Dan Taflin Cc: OAuth WG Subject: Re: [OAUTH-WG] Rechartering Is separating this out into 2 different tokens, really the best way to solve your use case? It sounds