OpenAuth Security
Below are some high level security measures that we took while designing and
implementing the OpenAuth APIs.
- Site Specific Authentication Tokens
- Authentication Tokens issued to Web Sites/Applications are always
bound to 'devId' and 'succUrl' ('HTTP_REFERER is used when 'succUrl' is
not available). - Authentication Tokens issued to one Site cannot be used from a
different Site hence preventing several
cross site
scripting (XSS) attacks. - Authentication Tokens are of no value until the user gives
permission to the site to access AOL Services on his/her behalf. - Users can go to their AOL
Account Management Site and revoke permissions as needed. - All Authentication Tokens issued in a session (except long term
Tokens) are invalidated when a user Signs Out from AOL.
- Authentication Tokens issued to Web Sites/Applications are always
- Secure Sessions
- All Session data (with user information) is stored on server/host
side not in browser cookies. - An Authentication Cookie is used to store the SessionId and is
encrypted with 'PBEWithSHAAnd3-KeyTripleDES-CBC' algorithm. - Authentication Cookie is written in a restricted domain 'api.screenname.aol.com'
that no other Web Sites have access to (including other AOL sites).
- All Session data (with user information) is stored on server/host
Please use this forum to post any Security issues/questions with OpenAuth APIs.