[Openid-specs-ab] Lite Draft 9

Allen Tom allentomdude at gmail.com
Thu Aug 25 21:25:44 UTC 2011


Are there any public docs for the version of the FB signed_request that uses
a hash of the access_token/code, rather than actually containing the entire
access_token?

The only docs that I've read so far have the access_token contained within
the signed_request.

Allen


On Thu, Aug 25, 2011 at 1:15 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Yes it is.
>
> Reading the FB documents I assumed that oauth_token in the signed request
> is the access token for the graph API.
>
> Breno reports conversations with FB's developers that indicate that is not
> the current practice.
>
> One reason why that would be a bad idea is that it would allow access
> tokens to be sniffed for non SSL RP.  Not a problem for the RP, but perhaps
> a large one for the IdP.
>
> Having an attacker get  a id_token or session cookie  is less problematic
> than if they get a long term access token.  If the id_token is set as a
> cookie then including the access token is a bad idea.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/c22ca5c0/attachment.html>


More information about the Openid-specs-ab mailing list