0

I have a web app that interacts with my REST api. I decided to have some oauth authentication and I have followed some tutorials on how to implement it but I am still struggling to understand why it is safe or how can I make it safe.

My implementation goes something like this...

1. client makes request to Facebook
2. client clicks `allow access`
3. Facebook redirects back to client with code in URL
4. client makes a POST request of the code to the REST API
5. REST API authenticates code via a request to Facebook using the secret key
6. Success/fail response to client from REST API

My issue is, how does this ensure security? From what I can tell, the code is being saved in the URL of the browser, so some malicious code can extract this code. If the malicious code can figure out what REST call authenticates the code before it expires, they can then authenticate themselves as someone else and get access to their data.

It's possible that my implementation is wrong, however, I was following this diagram as best I could, as well as other tutorials.

If my approach is wrong, what can I do to ensure security?

buydadip
  • 8,890
  • 22
  • 79
  • 154

1 Answers1

2

I'll get to your question in a moment, but first let me say some preliminaries.

Oauth is about authorisation, not authentication. Change the "authenticate"s to "authorise"s in your question.

It's not the client that clicks "allow access", it is the user. The point of Oauth is that the user wants to grant the client access to some of his data without providing his password to the client. Oauth allows him to do this using a browser that he trusts, so the user can feel safe about using the client.

Without the Ouath protocol, the only way he would be able to do this is to provide his password to the client. Imagine, lots of clients that you use every day that want access to your Facebook data -- without Oauth, you would have to type your Facebook credentials into those clients, which would give them complete access to all of your Facebook. Would you feel comfortable with that? You shouldn't, because it would open the door to all sorts of malware abuses. Oauth allows one to limit what these clients can access from your Facebook account (or whatever account), so you can feel confident about the application you are using.

Now, to your question -- the risk of the code in the URL. That is indeed a valid concern, but it is for one-time use (it is exchanged for an access token for multiple access use) and has a short life period. The reason why authorization code is used is explained in Section 3.4 of the Oauth threat model. The exact concern that you are asking about is addressed in Section 4.4.1.1 of the Oauth threat model:

o As per the core OAuth spec, the authorization server as well as the client must ensure that these transmissions are protected using transport-layer mechanisms such as TLS (see Section 5.1.1).

o The authorization server will require the client to authenticate wherever possible, so the binding of the authorization "code" to a certain client can be validated in a reliable way (see Section 5.2.4.4).

o Use short expiry time for authorization "codes" (Section 5.1.5.3).

o The authorization server should enforce a one-time usage restriction (see Section 5.1.5.4).

o If an authorization server observes multiple attempts to redeem an authorization "code", the authorization server may want to revoke all tokens granted based on the authorization "code" (see Section 5.2.1.1).

o In the absence of these countermeasures, reducing scope (Section 5.1.5.1) and expiry time (Section 5.1.5.3) for access tokens can be used to reduce the damage in case of leaks.

o The client server may reload the target page of the redirect URI in order to automatically clean up the browser cache.

Now also, there is an enhancement to the Oauth protocol published in RFC 7636 that protects against other clients stealing the authorization code for a particularly client on a mobile device. See RFC for more details.

Community
  • 1
  • 1
TheGreatContini
  • 6,429
  • 2
  • 27
  • 37