On Mon, Aug 18, 2014 at 6:29 AM, Ad Strack van Schijndel ad.strackvanschijndel@gmail.com wrote:
What security aspects are you referring to?
OAuth itself is only meant for authorization, so if you make a call to find out information about the current user (it looks like linkedin encourages using https://api.linkedin.com/v1/people/~), that result is probably not signed by the server-- you just rely on ssl to ensure that you're talking to the right server and that no one has modified the api response since the server sent it. If you use OpenID Connect (or in mediawiki, we added a /identify feature), you get a signed assertion of the user's identity, which is more difficult for an attacker to forge, even for attackers who can mitm ssl.
If you know you've implemented the ssl certificate and hostname validation correctly in your client code correctly, TLS is sufficient, as long as you're not concerned with government-scale attackers.