Among the threats outlined is one called "Open Redirector" in early 2014, a variant of this was described under the name "Covert Redirect" by Wang Jing. In January 2013, the Internet Engineering Task Force published a threat model for OAuth 2.0. Version 1.0a of the OAuth Core protocol was issued to address this issue. It affects the OAuth authorization flow (also known as "3-legged OAuth") in OAuth Core 1.0 Section 6. On 23 April 2009, a session fixation security flaw in the 1.0 protocol was announced. The OAuth 2.1 Authorization Framework is in draft stage and consolidates the functionality in the RFCs OAuth 2.0, OAuth 2.0 for Native Apps, Proof Key for Code Exchange, OAuth 2.0 for Browser-Based Apps, OAuth Security Best Current and Bearer Token Usage. OAuth 2.0 was published as RFC 6749 and the Bearer Token Usage as RFC 6750, both standards track Requests for Comments, in October 2012. Albeit being built on the OAuth 1.0 deployment experience, OAuth 2.0 is not backwards compatible with OAuth 1.0. The OAuth 2.0 framework was published considering additional use cases and extensibility requirements gathered from the wider IETF community. Since 31 August 2010, all third party Twitter applications have been required to use OAuth. The OAuth 1.0 protocol was published as RFC 5849, an informational Request for Comments, in April 2010. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF. Īt the 73rd Internet Engineering Task Force (IETF) meeting in Minneapolis in November 2008, an OAuth BoF was held to discuss bringing the protocol into the IETF for further standardization work. On 4 December 2007, the OAuth Core 1.0 final draft was released. Eran Hammer joined and coordinated the many OAuth contributions creating a more formal specification. In July 2007, the team drafted an initial specification. DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort. The OAuth discussion group was created in April 2007, for a small group of implementers to write the draft proposal for an open protocol. They concluded that there were no open standards for API access delegation. Cook, Chris Messina and Larry Halff from Magnolia met with David Recordon to discuss using OpenID with the Twitter and Magnolia APIs to delegate authentication. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. OAuth began in November 2006 when Blaine Cook was developing the Twitter OpenID implementation. The resource owner credentials are used only on the authorization server, but not on the client (e.g. This poses many security risks which can be prevented by the use of OAuth authorization flows. History A hypothetical authorization flow where login information is shared with a third-party application. The third party then uses the access token to access the protected resources hosted by the resource server. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without providing credentials. Generally, the OAuth protocol provides a way for resource owners to provide a client with secure delegated access to server resources. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit users to share information about their accounts with third-party applications or websites. OAuth (short for " Open Authorization" ) is an open standard for access delegation, commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them the passwords. The OAuth logo, designed by American blogger Chris Messina For MediaWiki's (the software used by Wikipedia) OAuth support, see mw:Help:OAuth
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |