[jira] [Commented] (WOOKIE-384) persist parameter of oAuth feature not user-isolated

["Hoang Minh Tien (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/WOOKIE-384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471462#comment-13471462 ] 

Hoang Minh Tien commented on WOOKIE-384:
----------------------------------------

Thanks Matthias but I'm not sure if it is a bug.
If you set persist option on, the token is dedicated to a single widget instance not shared to all widget instances. If you put this widget instance on any page (using embedded code function), it can query the token and display information associated to this token. 
So if the information is private, and the page containing widget instance if public, it is not suitable to set persist on.

                
> persist parameter of oAuth feature not user-isolated
> ----------------------------------------------------
>
>                 Key: WOOKIE-384
>                 URL: https://issues.apache.org/jira/browse/WOOKIE-384
>             Project: Wookie
>          Issue Type: Bug
>          Components: Feature Management
>    Affects Versions: 0.14.0
>         Environment: Windows 7, Chrome
>            Reporter: Matthias Niederhausen
>   Original Estimate: 3h
>  Remaining Estimate: 3h
>
> When I use the "persist" parameter of the oAuth feature (which is the default), every other user will automatically use my token after I have approved access.
> This results in a severe security issue, e.g., my google contact list being shown to someone else.
> Using "false" for the parameter value, I have to re-authenticate every try (which is okay).
> The behaviour for "true" should instead be to cache the token for every individual user (i.e., widget instance).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira