[Openid-specs-ab] Lite Draft 9
John Bradley
ve7jtb at ve7jtb.com
Thu Aug 25 21:42:02 UTC 2011
Sounds like they need a standard:)
On 2011-08-25, at 2:25 PM, Allen Tom wrote:
> Are there any public docs for the version of the FB signed_request that uses a hash of the access_token/code, rather than actually containing the entire access_token?
>
> The only docs that I've read so far have the access_token contained within the signed_request.
>
> Allen
>
>
> On Thu, Aug 25, 2011 at 1:15 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes it is.
>
> Reading the FB documents I assumed that oauth_token in the signed request is the access token for the graph API.
>
> Breno reports conversations with FB's developers that indicate that is not the current practice.
>
> One reason why that would be a bad idea is that it would allow access tokens to be sniffed for non SSL RP. Not a problem for the RP, but perhaps a large one for the IdP.
>
> Having an attacker get a id_token or session cookie is less problematic than if they get a long term access token. If the id_token is set as a cookie then including the access token is a bad idea.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/f708a28a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110825/f708a28a/attachment.p7s>
More information about the Openid-specs-ab
mailing list