Current OAuth 1.0 spec - how does it address the session fixation attack?
-
14-11-2019 - |
Question
I've implemented an OAuth 1.0 provider following this specification, which should be the latest. The specification was amended to address the session fixation attack that was identified in 2009. The thing is, short of having to diff the two specifications I am unsure as to what measures were added/changed in the spec in response to the issue.
Since I implemented the "right" spec I am having a hard time explaining to stakeholders what measures I have taken to ameliorate the risks.
Anyone care to shed some light on the issue for me?
Solution
1.0a addresses a very specific attack described here:
http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/
OTHER TIPS
- The
oauth_callback
parameter is now required in the request token generation step. Theoauth_callback_accepted
response parameter indicated OAuth 1.0a is being used. - The
oauth_verifier
parameter is generated by the service provider during the authentication/consent phase. - The
oauth_verifier
must be sent at the access token generation step.
See http://wiki.oauth.net/w/page/12238555/Signed%20Callback%20URLs for more details.