Return-Path: X-Original-To: apmail-oltu-user-archive@www.apache.org Delivered-To: apmail-oltu-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 013A117E55 for ; Thu, 22 Jan 2015 17:35:18 +0000 (UTC) Received: (qmail 24678 invoked by uid 500); 22 Jan 2015 17:35:18 -0000 Delivered-To: apmail-oltu-user-archive@oltu.apache.org Received: (qmail 24647 invoked by uid 500); 22 Jan 2015 17:35:17 -0000 Mailing-List: contact user-help@oltu.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@oltu.apache.org Delivered-To: mailing list user@oltu.apache.org Received: (qmail 24630 invoked by uid 99); 22 Jan 2015 17:35:17 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Jan 2015 17:35:17 +0000 Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 92AB71A012A; Thu, 22 Jan 2015 17:35:17 +0000 (UTC) Received: by mail-we0-f182.google.com with SMTP id l61so3093954wev.13; Thu, 22 Jan 2015 09:35:16 -0800 (PST) X-Received: by 10.194.78.229 with SMTP id e5mr5134269wjx.11.1421948116412; Thu, 22 Jan 2015 09:35:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.63.73 with HTTP; Thu, 22 Jan 2015 09:34:56 -0800 (PST) In-Reply-To: References: From: Jasha Joachimsthal Date: Thu, 22 Jan 2015 18:34:56 +0100 Message-ID: Subject: Re: Verifying the authorization server To: user@oltu.apache.org Cc: "dev@oltu.apache.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That's what the state parameter is for. You generate this value and keep it in a session. When the user returns to the redirectUri, the OAuth provider must have returned the state parameter's value. Compare this with the value in the session. If they don't match, your code should not continue with the authorization. See also [1] Regards, Jasha [1] http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-i= n.html On 22 January 2015 at 17:13, Tiburtius, Ashwanth [IWD] wrote: > Hi, > > > > I am using Apache Oltu in our project to authenticate Google, Yahoo and > Microsoft users. I have a fundamental question =E2=80=93 when a user has > authenticated themselves and the authorization server redirects them back= to > the application using the redirect uri along with a code, from a security > perspective, how can we verify that the code came from the respective > service - for e.g: Google? Does the authorization server send back > certificate or signatures that can be used to verify itself? If so, does > Oltu take care of this or is it upto the application to do the verificati= on? > Can you provide any help as to how the application should verify the serv= er > in case Oltu doesn=E2=80=99t do it currently? > > > > Just fyi, in our application, we are only concerned about a successful > authentication which is the first step in OAuth process. We do not access > any information about the user, so we are not getting into the next steps= to > get access token etc. at this point. I am not sure if that is an issue. > > > > I would really appreciate your comments/replies. Thank you for your time. > > > > Thanks, > > Jude. > > Iowa Workforce Development =E2=80=93 IT | 1000 E Grand Ave, Des Moines, I= A 50319 > > (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov > >