Bug #4692
Updated by Peter Amstutz about 10 years ago
Any web service client can go through the login process and receive an API token. This may allow an attacker can lure the user in with, say, a silly game called "dogepuzzle" and request an Arvados API server login to receive an API key, which they can use to access the user's account. Investigate.
<tetron> tomclegg: so OAuth does require an secret client token
<tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server.
<tetron> tomclegg: API server uses OAuth with the SSO server
<tetron> tomclegg: so that's probably a weak link