[Openid-specs-ab] Lite Draft 8
allentomdude at gmail.com
Thu Aug 18 01:19:29 UTC 2011
Hi John - can you elaborate a bit more on why it's a "real security problem"
in the Twitter case? Can you outline an example exploit?
On Tue, Aug 16, 2011 at 4:31 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The two tokens have potentially different scopes and lifetimes.
> There are good reasons for separating resource authorization from session
> It is true that twitter and others confuse those. That however is a real
> security problem.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab