I\'m building a small site which I would like to integrate with LinkedIn for aut

Question

I'm building a small site which I would like to integrate with LinkedIn for authentication. LinkedIn says that redirect_uri's can be either http:// or https:// (not having to pay for a certificate is really awesome right now)

Upon reviewing the OAuth2 spec, I can't wrap my head around the possibility of exchanging a token via plaintext as not being prone to vulnerabilities. I know this is a basic question, as I'm pretty new to the crypto world. And of course I know that such an obvious vulnerability (if existent) has been already addressed.

The question is: how? How does the spec deal with the token being sent to the user agent in plain-text and redirected to the client in a potentially non-secure way?

Explanation / Answer

The answer is pretty straightforward: it doesn't. If the token is sent over cleartext then you're hosed. The spec doesn't provide mitigations for security issues that arise from not following the spec's recommendations.

Alternatively there is some relief in using the code flow because you're passing a nonce of sorts (the 'code') over cleartext instead. You have to exchange the code for a proper token through a backchannel service, which should be over SSL. This way the token itself is requested over a secure channel.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.