oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tiburtius, Ashwanth [IWD]" <Ashwanth.Tiburt...@iwd.iowa.gov>
Subject Verifying the authorization server
Date Thu, 22 Jan 2015 16:13:43 GMT

I am using Apache Oltu in our project to authenticate Google, Yahoo and Microsoft users. I
have a fundamental question - when a user has authenticated themselves and the authorization
server redirects them back to the application using the redirect uri along with a code, from
a security perspective, how can we verify that the code came from the respective service -
for e.g: Google? Does the authorization server send back certificate or signatures that can
be used to verify itself? If so, does Oltu take care of this or is it upto the application
to do the verification? Can you provide any help as to how the application should verify the
server in case Oltu doesn't do it currently?

Just fyi, in our application, we are only concerned about a successful authentication which
is the first step in OAuth process. We do not access any information about the user, so we
are not getting into the next steps to get access token etc. at this point. I am not sure
if that is an issue.

I would really appreciate your comments/replies. Thank you for your time.

Iowa Workforce Development - IT | 1000 E Grand Ave, Des Moines, IA  50319
(515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov<mailto:Ashwanth.Tiburtius@iwd.iowa.gov>

View raw message