[Openid-specs-ab] Lite Draft 8
Allen Tom
allentomdude at gmail.com
Thu Aug 18 01:19:29 UTC 2011
Hi John - can you elaborate a bit more on why it's a "real security problem"
in the Twitter case? Can you outline an example exploit?
Thanks
Allen
On Tue, Aug 16, 2011 at 4:31 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
> The two tokens have potentially different scopes and lifetimes.
>
> There are good reasons for separating resource authorization from session
> authentication.
>
> It is true that twitter and others confuse those. That however is a real
> security problem.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/d1584286/attachment.html>
More information about the Openid-specs-ab
mailing list