Comment 3 for bug 316733
Revision history for this message
| Leonard Richardson (leonardr) wrote Re: please expose list of tokens through the API | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Here's where I'm coming from. This sounds like a privilege escalation attack waiting to happen. If you can get a list of tokens, you know what other applications the person is using. This is privileged information by itself, but it could also be used as a first step towards getting other OAuth tokens.
The uninstall use case makes sense. It might make more sense to make the user go through the web browser to revoke a token. But I don't really see a security problem with letting an application revoke its own token.
I'm also okay with giving access to metadata about the OAuth token used to make the request, and other tokens for the same consumer.
Checking for an existing active token is useful but also opens up privacy questions. Since you don't have a token yet, you'd make the request without signing it. This would allow you to impersonate various clients to find out if the user has a token for that client, simulating the effect of a full list of tokens.
How satisfied would you be if we published a collection of OAuth tokens that contained tokens for the current application only, and allowed you to delete the token currently in use?