Having read over the OAuth Echo workflow here: https://dev.twitter.com/docs/auth/oauth/oauth-echo, I’m wondering what steps I, as a delegator, can take to ensure that I don’t honor “spoofed” requests?
That is, say a malicious consumer passes me an OAuth Echo request, but in the X-Auth-Service-Provider header, they point at some malicious service provider which returns a 200, and whatever other bad info I might otherwise trust? Obviously in the Twitter case, I won’t be able to turn around and perform actions against a user’s twitter account with a spoofed X-Verify-Credentials-Authorization, but that still leaves me in the lurch when trying to deal with issues on my own service. Like, if I’m TwitPic and actually store the image uploaded because I think the credentials I got were legitimate, which means I’m wasting storage space on a bad request?
I’m new to OAuth and OAuth Echo so if there’s something inherent in OAuth that prevents this, I’d appreciate some pointers on what I’m missing, just trying to learn the basics here.
