Topic Centers

OpenAuth Security

Below are some high level security measures that we took while designing and implementing the OpenAuth APIs.
 

  • Site Specific Authentication Tokens
    • Authentication Tokens issued to Web Sites/Applications are always bound to 'devId' and 'succUrl' ('HTTP_REFERER is used when 'succUrl' is not available).
    • Authentication Tokens issued to one Site cannot be used from a different Site hence preventing several cross site scripting (XSS) attacks.
    • Authentication Tokens are of no value until the user gives permission to the site to access AOL Services on his/her behalf.
    • Users can go to their AOL Account Management Site and revoke permissions as needed.
    • All Authentication Tokens issued in a session (except long term Tokens) are invalidated when a user Signs Out from AOL.
  • Secure Sessions
    • All Session data (with user information) is stored on server/host side not in browser cookies.
    • An Authentication Cookie is used to store the SessionId and is encrypted with 'PBEWithSHAAnd3-KeyTripleDES-CBC' algorithm.
    • Authentication Cookie is written in a restricted domain 'api.screenname.aol.com' that no other Web Sites have access to (including other AOL sites).


Please use this forum to post any Security issues/questions with OpenAuth APIs.

‹ vb ing
Submitted by alavillipraveen on April 16, 2007 - 1:33pm.
» login or register to post comments | subscribe post
Great desgin
Submitted by alab on May 4, 2007 - 2:49pm.

Great desgin, hope it can be provided as soon as possible, anticipate delightedly.

-------------------
software reviews

» login or register to post comments

 

Login | AOL.com | About Us | Site Map | Help
Contact Us | AOL Terms of Service | AOL Privacy Policy
© 2008 AOL LLC. All Rights Reserved.