Featured post
javascript - OAuth2 User-agent flow + two-legged OAuth -
i have 2 questions oauth2's user-agent flow. (the current rfc draft of oauth2's user-agent flow here: http://tools.ietf.org/html/draft-ietf-oauth-v2-11#section-2.2)
1)
step c: access token has given in fragment, because user-agent (browser) have access it. why such problem if server-side (if there server-side) there easy workarounds client-side can pass server-side (cookie, hidden fields, ...)
2)
i want implement oauth2 user-agent flow, two-legged version (request_token enough, consumer app can act users, no need authenticate user @ service provider)
i have 1 major security gap combination of oauth2's user-agent flow , two-legged version:
the web browser handles redirection. means though service provider thinks it's sending user specified host , domain, host , domain trivial user redirect own machine -- or anywhere, tweaking dns setup or /etc/hosts file.
let's see 3-legged , 2-legged version:
with 3-legged oauth isn't major problem because user still need authenticate himself @ service provider. attacker may set false domain leading machine, still need credentials of user. can lure user domain has make result of domain lookup (done user's user-agent), can having acces user's machine (which more difficult)
with 2-legged oauth however: attacker can set localhost (/etc/hosts) domain of innocent consumer app , request_token. user has nothing it.. attacker can make calls on behalf of users of innocent consumer app. have idea how secure gap?
greetings, chielus
- Get link
- Other Apps
Comments
Post a Comment