oAuth implementation: Does the current domain matter?

Question

I'm a front end developer helping a UX team develop the interface of a browser plugin.

The plugin is HTML/CSS/JS based and requires authentication. At the moment we have standard u/p fields in the wires, but the client is wondering if social sign-in is possible.

Since the plugin's interface is injected into each page that the user visits, it means that authentication requests can come from anywhere on the web.

I've read the basics of the oAuth spec, but I can't find an answer to this — it seems odd that oAuth would not require the requests come from a consistent location, but I don't really know what I'm talking about.

Is making oAuth requests from any random domain feasible?

Answer 1

requests come from a consistent location

A guy who can come up with tokens that are consistent with X's consumer key is assumed to be X. There is one place to demand the consumer's (your service) URL:

oauth_callback: An absolute URL to which the Service Provider will redirect the User back when the Obtaining User Authorization step is completed. If the Consumer is unable to receive callbacks or a callback URL has been established via other means, the parameter value MUST be set to oob (case sensitive), to indicate an out-of-band configuration.

But the redirection happens at the client's end. This URL can be set for each request. You dont even require a browser request: see the 'out of band' (OOB) stuff.

The workflow is called two-legged OAuth.

Twitter oAuth callbackUrl - localhost development

---

And that trouble is just for authentication. Once you have an access token for a user, you can act on his behalf from any device: a smartphone, a node in your cluster, your dev workstation etc. x