A. 1. Read the original OAuth spec: http://oauth.net/core/1.0/ Resist the urge to click through the description of the vulnerability and fix, and see whether you can find the flaw in the protocol. Hint: An attacker is able to impersonate a victim to an OAuth Consumer (all the victim has to do is authorize the OAuth Consumer to access his data at the OAuth Service Provider). 2. Read the description of the OAuth 1.0 flaw: http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/ 3. Read the fixed OAuth spec: http://oauth.net/core/1.0a/ (the RFC linked to is simply a different description of the same protocol). There are two changes in the protocol to fix the flaw. Are they both necessary, i.e., if the authors had only included one of the changes, but not the other, would the protocol still be vulnerable? B. - Read up on OpenID: http://openid.net/specs/openid-authentication-2_0.html Warning! This is kind-of hard to read. You might want to look for summaries, protocol-flow descriptions, etc., somewhere else on the web. - OpenID is a protocol that delivers _identity assertions_ to the relying party/consumer, whereas OAuth delivers tokens to the consumer that give it access to protected resources. Do these different purposes really mean that the protocols have to look so different? Can OAuth be used to log users into relying parties? What would we have to add? - Read the OpenID Connect proposal http://openidconnect.com/, which one attempt to turn OAuth into a federated login protocol (like OpenID). Does this proposal add the necessary pieces to OAuth to make it a secure federated login protocol? What features of OpenID is the author purposefully throwing out in order to have a simpler proposal? Bonus reading: - Read up on the controversy around (the lack of) signatures in WRAP and OAuth2 (both successors to OAuth 1.0a): http://www.links.org/?p=846 (there is a link to a previous blog post on the topic, which points to a blog post by Ben Adida, which is also worth reading). What do you think? Does OAuth need signatures? Or are bearer tokens (as proposed in the WRAP standard http://tools.ietf.org/html/draft-hardt-oauth-01) sufficient?