IETF Logo Mail Archive

Re: [OAUTH-WG] WRAP session fixation?

Brian Eaton <beaton@google.com> Wed, 25 November 2009 01:58 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F28383A6952 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:58:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Level:
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7TUyESRMtWsD for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:58:51 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.33.17]) by core3.amsl.com (Postfix) with ESMTP id ED86F3A693A for <oauth@ietf.org>; Tue, 24 Nov 2009 17:58:50 -0800 (PST)
Received: from spaceape14.eur.corp.google.com (spaceape14.eur.corp.google.com [172.28.16.148]) by smtp-out.google.com with ESMTP id nAP1wirj007655 for <oauth@ietf.org>; Wed, 25 Nov 2009 01:58:44 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259114324; bh=LN5w8W9S3Y+p9xSW8WMV4F3zdYc=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=KQnZ7Qt7MqV/r2YrlDFhXlksudRlQEbdVxlHpD9AGAok6EAJTckHBJwtLGl/ydtoV OVwmb7A6nBKKzVasTC/+A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=BCUwI84EuxTr3Sg2zZhE6imga+OAPj3DCjTmUEtn3nZDcaJ+yrW2mpXihbMtWPeBt VSuLXLV7NvLWr1gsjO6rw==
Received: from pxi34 (pxi34.prod.google.com [10.243.27.34]) by spaceape14.eur.corp.google.com with ESMTP id nAP1wZZP016686 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:58:39 -0800
Received: by pxi34 with SMTP id 34so5325135pxi.8 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:58:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.133.4 with SMTP id g4mr463922rvd.145.1259114315371; Tue, 24 Nov 2009 17:58:35 -0800 (PST)
In-Reply-To: <059DCB41-BC68-43B9-8E50-B774AD71FB24@gmail.com>
References: <daf5b9570911241728h7bfc36e2w517cf85448ae492a@mail.gmail.com> <059DCB41-BC68-43B9-8E50-B774AD71FB24@gmail.com>
Date: Tue, 24 Nov 2009 17:58:35 -0800
Message-ID: <daf5b9570911241758p35206df7xf7bf7f245087f726@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Michael Malone <mjmalone@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-System-Of-Record: true
Cc: Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>, Brent Goldman <brent@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WRAP session fixation?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 01:58:52 -0000

On Tue, Nov 24, 2009 at 5:45 PM, Michael Malone <mjmalone@gmail.com> wrote:
> Ah interesting, so you pass the callback URL to the authorization server
> again to get an access token? How does that work if you _do_ have a
> registered callback URL?

It depends on the authorization server, but my guess is that if the
authorization server required callback URL registration in the first
place they will be checking callback URLs when users hit the approval
page.  If an unknown callback URL hits the approval page, the
authorization server will probably refuse to return the user to the
callback.

Cheers,
Brian

v2.23.0 | Report a Bug | By Email