On Mon, Aug 18, 2014 at 6:29 AM, Ad Strack van Schijndel
<ad.strackvanschijndel(a)gmail.com> wrote:
What security aspects are you referring to?
OAuth itself is only meant for authorization, so if you make a call to
find out information about the current user (it looks like linkedin
encourages using
https://api.linkedin.com/v1/people/~), that result is
probably not signed by the server-- you just rely on ssl to ensure
that you're talking to the right server and that no one has modified
the api response since the server sent it. If you use OpenID Connect
(or in mediawiki, we added a /identify feature), you get a signed
assertion of the user's identity, which is more difficult for an
attacker to forge, even for attackers who can mitm ssl.
If you know you've implemented the ssl certificate and hostname
validation correctly in your client code correctly, TLS is sufficient,
as long as you're not concerned with government-scale attackers.