0

I understand that during the 'Implicit Grant' flow, the Authorization server provides the Access Token to the Client (running in UserAgent/Browser) via the URL.

Wouldn't the hacker having access to the UserAgent be able to decipher/extract the 'Access Token' and use it for the resource calls ?

How do we prevent it from happening ?

yathirigan
  • 5,619
  • 22
  • 66
  • 104
  • 1
    Do you mean the situation when a browser is not a safe and the attacker can monitor what people are doing in the browser or the situation when the attacker has access to the same computer and the user account and wants to use the browser history to find access tokens? – Ján Halaša Feb 14 '18 at 05:29
  • I refer to the 1st scenario. I believe the 2nd scenario is taken care because the token will have a timeout lifetime and also will be killed when user logs out of the application – yathirigan Feb 14 '18 at 07:47
  • You can find more information related to this question here. https://stackoverflow.com/questions/14297805/how-secure-is-oauth-2-0-implicit-grant. This question is sort of a duplicate it seems. – Sameera Jayasoma Sep 05 '18 at 05:08

1 Answers1

1

If the browser get compromised and the attacker can monitor what URLs are loaded, I don't think you can do anything about at the OAuth2 level. The protocol relies on the browser being safe and secure. The same way as it requires (with Implicit grant flow) the network communication to be secured. Similarly, the browser must trust the operating system it runs on.

It's the browser user (or some computer admin) responsibility to keep their computers in a safe state.

Ján Halaša
  • 8,167
  • 1
  • 36
  • 36