Am I missing something? While there does not seem to be a reason to allow CSRF h... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

Stefan-H on Dec 17, 2014 | parent | context | favorite | on: CSRF in Doorkeeper OAuth2 gem

Am I missing something? While there does not seem to be a reason to allow CSRF here, doesn't the fact that you need to have a client Id and client secret for the oath endpoint make it so that this is a non-issue?

https://github.com/doorkeeper-gem/doorkeeper/wiki/authorizat...

I don't see a way to get the access token without having the client ID and client secret.

homakov on Dec 17, 2014 [–]

you just need to create a client. Then you will have ID+secret. Most providers allow anyone to get them

Stefan-H on Dec 17, 2014 | [–]

So this only applies to those that use doorkeeper to act as oauth providers, not to those that allow logins through other oauth providers, right?

homakov on Dec 18, 2014 | | [–]

Sure, Doorkeeper is oauth Provider gem, not client.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact