On Apr 28, 2009, at 12:14 PM, Brian Eaton wrote:
I'm going to be prototyping a fix for the OAuth session fixation
attack in Shindig. There is no new OAuth spec yet, but there are
proposals that we should try to validate.
I'm focusing on the outbound OAuth support for now. If somebody
(Paul?) wants to jump into the OAuth SP code that would be great.
Otherwise I'll probably end up doing it to validate the outbound
stuff.
I already committed some fixes for this in SHINDIG-1027. Specifically:
* Track OAuth protocol version and callback in OAuth Entry
* Add the ability to 'Disable' or 'Remove' an OAuth Entry
* Allow callback to be specified during request token phase instead of
authorize.
* Disable request token if attempt is made to convert to an access
token before requesting the authorization page.
http://svn.apache.org/viewvc?view=rev&revision=767835
Here's a design doc for the fix for the outbound code:
http://cwiki.apache.org/confluence/display/SHINDIG/OAuthSessionFixationAttack
Very well done!
