[Openid-specs-ab] Lite Draft 9

John Bradley ve7jtb at ve7jtb.com
Thu Aug 25 20:15:12 UTC 2011


Yes it is.   

Reading the FB documents I assumed that oauth_token in the signed request is the access token for the graph API.

Breno reports conversations with FB's developers that indicate that is not the current practice.

One reason why that would be a bad idea is that it would allow access tokens to be sniffed for non SSL RP.  Not a problem for the RP, but perhaps a large one for the IdP.

Having an attacker get  a id_token or session cookie  is less problematic than if they get a long term access token.  If the id_token is set as a cookie then including the access token is a bad idea.
On 2011-08-25, at 12:55 PM, Allen Tom wrote:

> My understanding of FB's implementation is that their equivalent of the id_token actually contains the access_token, rather than a hash of the access_token or code.
> 
> Is the FB signed_request the equivalent of the id_token?
> 
> https://developers.facebook.com/docs/authentication/signed_request/
> 
> Allen
> 
> 
> 
> 2011/8/25 John Bradley <ve7jtb at ve7jtb.com>
> 
> 
> Facebook is currently doing something like this with there signed request tokens where they are including code in the token, or a hash of the access token.
> Facebook's implementation is not completely based on OAuth 2 draft 10.   It is a bit hard to figure it out from the documentation.
> 
> 
> 










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/8aab3581/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/8aab3581/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list