On 3/7/2014 12:18 PM, Bill Burke wrote:
On 3/7/2014 10:51 AM, Stian Thorgersen wrote:
>
> I don't understand how a hacker would use those redirect uris to obtain a code.
localhost should always point to the local machine, so the code will never leave the
machine. Same with urn:ietf:wg:oauth:2.0:oob in that case the only difference is that the
code is displayed in the title of the page instead of the code query param. If a hacker is
able to intercept the URL of a page in the browser he will be able to obtain the code no
matter what the redirect-uri is.
>
Easy, the hacker doesn't use a browser just a simple script. The
client_id of a public client could be known and it just does GET
/auth-server/realms/foo/tokens/auth-request?client_id=...&...
The server sends a Location response with a localhost uri which contains
the query params which contains the code.
Ugh, I'm stupid, that could happen irregardless.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com