15 comments

[ 6.2 ms ] story [ 38.6 ms ] thread
It's using free plan on heroku, so if it will be down repo is available at https://github.com/homakov/oauthsecurity
@homakov I'd be happy to host this content on the oauth.net website if you'd like.
I think just an external link will be great, because I don't want to remove the sakurity logo :)
Why didn't you use github page or S3. It's static page isn't it?
Yes but i serve it with sinatra
Thanks for this list. I will be reviewing our site at whalepath.com to make sure we are not vulnerable.

btw, linkedin has implemented a number of the counter measures listed in:

* static redirects

* checking that the redirect listed is the same for all calls.

* fast expiration of code.

The place I work for deals with about 20 different site's oauth processes and it's amazing how widely varied they are. Some of them let you restrict the redirect_uri while others don't, some of them still need you to send a login/password pair for the first request rather than do an oauth flow, but then still use oauth-style tokens all over the place. A couple of them require that the token be passed as a query string parameter instead of as a header for all requests. Being responsibly secure with all of them is quite difficult. It doesn't help that it's very difficult to have a development environment work properly with them, so doing active work against them is often painful.

OAuth is basically a complete mess, implementation-wise, and that's really sad since it's such a promising and useful premise.

That's really unfortunate. I read through the RFC, and IIRC it is pretty consistent on those details. Can't stop people from badly implementing a spec :(
i've heard great stuff about oauth.io . they try to provide an abstractionlayer that handles the various different implementations (often buggy or not to spec) of oauth.
that might be true, but I don't like idea of having a MiTM. That's an additional point of potential security issues
You missed the obvious: using OAuth2 without TLS =)

And paranoid part of my brain suggests that using OAuth1.0a is still preferred even if over TLS

This is another kind of threat but yes, MITM is game over for oauth2