Project

General

Profile

Bug #4692

Updated by Peter Amstutz over 9 years ago

Any web service client can go through the login process and receive an API token.    This may allow an attacker can lure the user in with, say, a silly game called "dogepuzzle" and request an Arvados API server login to receive an API key, which they can use to access the user's account.    Investigate. 

 <tetron> tomclegg: so OAuth does require an secret client token 
 <tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server. 
 <tetron> tomclegg: API server uses OAuth with the SSO server 
 <tetron> tomclegg: so that's probably a weak link

Back