We have implemented a login plugin for our site using these instructions , but now there are problems guaranteeing login security.
In particular, we want to verify that the user ID and email address that javascript sends to the server are (a) truly permitted and (b) accurate. Otherwise, it seems that anyone who can get a unique user ID can easily impersonate another. Even worse, if we set up a way to merge accounts, they can simply use the developer console to manage JSON and send an existing email with their own user ID.
Is there an easy way to request server side LinkedIn to confirm authorization and details, or do we really need to go through all server side re-authentication like this ?
There seems to be a huge duplication of effort, or without it, a big security flaw. Am I missing something?
source
share