[Openid-specs-ab] Lite Draft 8

Allen Tom allentomdude at gmail.com
Thu Aug 18 01:19:29 UTC 2011


Hi John - can you elaborate a bit more on why it's a "real security problem"
in the Twitter case? Can you outline an example exploit?

Thanks
Allen

On Tue, Aug 16, 2011 at 4:31 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

>
> The two tokens have potentially different scopes and lifetimes.
>
> There are good reasons for separating resource authorization from session
> authentication.
>
> It is true that twitter and others confuse those.   That however is a real
> security problem.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/d1584286/attachment.html>


More information about the Openid-specs-ab mailing list