davidrecordon / oauth-2.0 Goto Github PK
View Code? Open in Web Editor NEWDRAFT
DRAFT
OpenSocial uses OAuth today to support server to server authentication via RSA public/private key pairs. I think that we could develop an authorization profile where a RSA key is used to retrieve an access token and then not have to support RSA as one of the signature mechanisms.
Currently there isn't a way to differentiate between when a client is expecting to handle UI from the authorization server versus when the user has already authorized the client and it is just requesting a new access token via JavaScript.
Also add more description around authorization server keeping track of when user has already approved the client.
From Marcel:
About the callback url in the Pure Client Profile, the current spec indicates that the server either redirects to the provided "oauth_callback" or uses the pre-registered one associated with the client application.
It seems necessary to additionally say that if an oauth_callback is provided the server MUST ensure that it has an identical host to the pre-registered callback url. This callback url is, from my vantage point, the only mechanism in the Pure Client Profile that affords even a modicum of security. Malicious attempts to get an access token using the Pure Client Profile are ultimately fruitless if you can't get the access token to be redirected back to you.
Unsophisticated server side code could be duped by a malicious callback that does something similar to SQL injection to trick the server side code into thinking a provided callback url is for the same domain when in fact it isn't, e.g. oauth_callback=http://evil.com?tricking_you=http://trusted.domain.com. Perhaps this too should be mentioned as a precaution to take.
Protected Resource is designed to not have the client identifier or secret.
Required parameter.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.