Hello, I’m developing an app for Alfresco One and I might have come across a major flaw in the oauth authentication.
The first step in oauth is to ask for the user’s credentials, by calling “https://api.alfresco.com/auth/oauth/versions/2/authorize” – this will return the “login page HTML” to display to the user, this HTML is then hosted on the callers web site, i.e. you can easily retrieve the user password!! The authorization page need to be hosted on the https://api.alfresco.com server, right? (Like others do, Google/LinkedIn etc) Am I missing something here? To me this looks like a major security flaw.
---bjorn
—
---bjorn