Sorry if I misunderstand, but would that mean that (along with what you wrote about whitelist/static) a "replace hash values", for instance, would mitigate the attack?
I currently have a OAuth (1.0a) implementation down the road (and would be very willing to hiring you when we begin).
Am I understanding this correctly that a "good" practice would be to redirect the user always to e.g. a static "you've granted app X permissions", or other dummy page (within our domains control) which the user will simply close, or oob?
Not asking you to dish out your expertise, just a quick question :)
And thanks for the nice articles, you're doing a lot of good.
I currently have a OAuth (1.0a) implementation down the road (and would be very willing to hiring you when we begin). Am I understanding this correctly that a "good" practice would be to redirect the user always to e.g. a static "you've granted app X permissions", or other dummy page (within our domains control) which the user will simply close, or oob?
Not asking you to dish out your expertise, just a quick question :) And thanks for the nice articles, you're doing a lot of good.