Bug #4692
Updated by Peter Amstutz over 9 years ago
Any web service client can go through the login process and receive an API token. This may allow an attacker can lure the user in with, say, a silly game called "dogepuzzle" and request an Arvados API server login to receive an API key, which they can use to access the user's account. Investigate.
<tetron> tomclegg: so OAuth does require an secret client token
<tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server.
<tetron> tomclegg: API server uses OAuth with the SSO server
<tetron> tomclegg: so that's probably a weak link