Bug #4692
Updated by Peter Amstutz over 9 years ago
Any web service client can go through the login process and receive an API token. While this is convenient for developer workbench instances to access a production API server, this could This may allow an attacker can lure the user in with with, say, a silly game called "dogepuzzle" and request an Arvados API server login to receive an API key, which they can use to access the user's account. Investigate. <tetron> tomclegg: so OAuth does require an secret client token <tetron> tomclegg: but workbench doesn't use OAuth to authenticate to API server. <tetron> tomclegg: API server uses OAuth with the SSO server <tetron> tomclegg: so that's probably a weak link