1

I have done a good study on oauth2.0. But i am completely lost when to comes to the part where access tokens are requested by client to authorization server

How is this communication secured via tls?This communication does not involve a user agent(browser), so i assume this is a client -server communication.So, how is certificate verification taking place. I don't remember importing any cert from facebook server to my keystore for my test app.

I have not been able to search any proper answer regarding this

regards, Amit

gooner
  • 49
  • 4

1 Answers1

0

From OAuth 2.0 perspective, access tokens are credentials. Access token can be used to access an OAuth 2.0 protected resource.

When data transmit over a network, attacks can target to extract data from wire. If transmitted data is not encrypted, then such attacks will reveal plain data that were being transmitted. If such data contained a token request and response, then malicious party can extract access token. This is highlighted in RFC6749 as well,

Since requests to the token endpoint result in the transmission of
clear-text credentials (in the HTTP request and response), the
authorization server MUST require the use of TLS as described in
Section 1.6 when sending requests to the token endpoint.

When client makes a connection to authorization server, that connection too open up over common networks. Thus attack is present in there too. This is why you must use TLS for token request.

Now the functionality of TLS is a separate subject. It uses digital certificates, which are issued by certificate authorities (CA). There are trusted CA which by default trusted by operating systems. So when you connect with Facebook, if Facebook uses a tls certificate issued by a well known CA, then you do not have to configure anything.

Community
  • 1
  • 1
Kavindu Dodanduwa
  • 12,193
  • 3
  • 33
  • 46
  • Thanks for the reply. I am aware of the certificates and how they are trusted when http flow is via web browser where browser takes the eventual responsibility of generating a session key as mentioned here: https://stackoverflow.com/questions/6241991/how-exactly-https-ssl-works I was wondering how it works in client-server communication. – gooner Sep 07 '18 at 12:04
  • @ankitchauhan well there's no difference when you substitute browser with a client. Behind the scenes, there will be a low level network connection in both scenarios. In those connections, there will be a typical SSL handshake which involves certificate exchange and validations. – Kavindu Dodanduwa Sep 08 '18 at 03:52
  • Cool..thanks for the reply..i wanted to know who has the responsibility of generating the session key during the handshake as the browser is not involved anymore.. – gooner Sep 08 '18 at 05:26
  • @ankitchauhan well if you are talking about a cookie session, then it's the server that's responsible for creating and handling one. From your client end, you have to store it and maintain. Browsers does this for you. Mark question as correct if you think so. It helps others to solve the same problem – Kavindu Dodanduwa Sep 08 '18 at 06:08