[Openid-specs-ab] Lite Draft 9
allentomdude at gmail.com
Thu Aug 25 21:25:44 UTC 2011
Are there any public docs for the version of the FB signed_request that uses
a hash of the access_token/code, rather than actually containing the entire
The only docs that I've read so far have the access_token contained within
On Thu, Aug 25, 2011 at 1:15 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes it is.
> Reading the FB documents I assumed that oauth_token in the signed request
> is the access token for the graph API.
> Breno reports conversations with FB's developers that indicate that is not
> the current practice.
> One reason why that would be a bad idea is that it would allow access
> tokens to be sniffed for non SSL RP. Not a problem for the RP, but perhaps
> a large one for the IdP.
> Having an attacker get a id_token or session cookie is less problematic
> than if they get a long term access token. If the id_token is set as a
> cookie then including the access token is a bad idea.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab