Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize Need to login? Need to accept scope permissions? 11
to authenticate to receive an access_token ◦ URL parameter, browser sends to redirect_url #access_token used directly ◦ URL hash, browser does not send to redirect_url ◦ parsed with javascript 20
Authorize Auth Prompt Do Thing Yeah, Do Stuff Token GET: facebook.com/oauth/authorize?client_id=<id>&scope=<scope>&redirect_uri=<asdf>&state=<state> Authorize Need to login? Need to accept scope permissions? 27
# associate accounts end end What is session[:state] if the request is not authentic? <img src = ‘https://example.com/callback? code=<attacker’s code>’ /> Ensure state is set (and not predictable) 48