[Openid-specs-ab] Lite Draft 9

John Bradley ve7jtb at ve7jtb.com
Thu Aug 25 21:42:02 UTC 2011


Sounds like they need a standard:)

On 2011-08-25, at 2:25 PM, Allen Tom wrote:

> Are there any public docs for the version of the FB signed_request that uses a hash of the access_token/code, rather than actually containing the entire access_token? 
> 
> The only docs that I've read so far have the access_token contained within the signed_request.
> 
> Allen
> 
> 
> On Thu, Aug 25, 2011 at 1:15 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes it is.   
> 
> Reading the FB documents I assumed that oauth_token in the signed request is the access token for the graph API.
> 
> Breno reports conversations with FB's developers that indicate that is not the current practice.
> 
> One reason why that would be a bad idea is that it would allow access tokens to be sniffed for non SSL RP.  Not a problem for the RP, but perhaps a large one for the IdP.
> 
> Having an attacker get  a id_token or session cookie  is less problematic than if they get a long term access token.  If the id_token is set as a cookie then including the access token is a bad idea.
> 
> 
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/f708a28a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/f708a28a/attachment.p7s>


More information about the Openid-specs-ab mailing list