[Openid-specs-ab] Lite Draft 9

Breno de Medeiros breno at google.com
Thu Aug 25 21:51:55 UTC 2011


On Thu, Aug 25, 2011 at 14:25, Allen Tom <allentomdude at gmail.com> wrote:
> Are there any public docs for the version of the FB signed_request that uses
> a hash of the access_token/code, rather than actually containing the entire
> access_token?

I don't think anyone disputes the fact that they include the token
directly. However, it is my understanding that they do so only with
tokens that need to be presented with the client secret.

> The only docs that I've read so far have the access_token contained within
> the signed_request.
> Allen
>
> On Thu, Aug 25, 2011 at 1:15 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>
>> Yes it is.
>> Reading the FB documents I assumed that oauth_token in the signed request
>> is the access token for the graph API.
>> Breno reports conversations with FB's developers that indicate that is not
>> the current practice.
>> One reason why that would be a bad idea is that it would allow access
>> tokens to be sniffed for non SSL RP.  Not a problem for the RP, but perhaps
>> a large one for the IdP.
>> Having an attacker get  a id_token or session cookie  is less problematic
>> than if they get a long term access token.  If the id_token is set as a
>> cookie then including the access token is a bad idea.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
--Breno


More information about the Openid-specs-ab mailing list