Hi,
A good description of the recently announced OAuth vulnerability is
here:
http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html
I created SHINDIG-1027 to track this issue. Code for trunk is checked
in that changes the following aspects of the three-legged OAuth java
support:
Modifies OAuthEntry, adds a new type of token 'DISABLED'. A request
token can be disabled when a consumer attempts to exchange the token
for an access token without having gone through the authorization flow.
Add oauthVersion field to OAuthEntry. This allows us to detect when
there is a threat.
Modify the OAuthDataStore as follows:
* createRequestToken now takes a consumer key and the oauth_version
* New method disableToken(OAuthEntry) for marking a token disabled.
* New method removeToken(OAuthEntry) for removing a token entirely.
SampleOAuthServlet changes include
* identifying securityThread_2009_1 based on the token data
* optionally using a callback from the OAuthDataStore (this allows a
service provider to
potentially use different callbacks than specified in the protocol
flow.
* Handle Disabled Tokens
* Catch cases where tokens are being used without authorizing them.
The authorize.jsp now is a bit cleaner and will display a scary
message when the conditions are
such that the security threat exists.
Cheers,
Paul
