0

I'll take the example from here. Let's say the Resource Owner wants to authorize the Application example-app.com to have access to some of his resources.

1) The Resource Owner will be directed to a URI in the Authorization Server, for example: 

https://authorization-server.com/auth
 ?response_type=code
 &client_id=29352915982374239857
 &redirect_uri=https%3A%2F%2Fexample-app.com%2Fcallback
 &scope=create+delete
 &state=xcoiv98y2kd22vusuye3kch

2) The Resource Owner will authenticate with the Authorization Server and will be redirected to:

https://example-app.com/redirect
 ?code=g0ZGZmNjVmOWIjNTk2NTk4ZTYyZGI3
 &state=xcoiv98y2kd22vusuye3kch

Question: What if someone else copies the URI from Step 2) and makes a request to that same URI? Assume that the request from the Attacker will be processed before the Resource Owner's. For example, an Attacker sending the same request to:

https://example-app.com/redirect
 ?code=g0ZGZmNjVmOWIjNTk2NTk4ZTYyZGI3
 &state=xcoiv98y2kd22vusuye3kch

It looks to me that the Application can now access the resources from the Resource Owner and share it with the Attacker, specially if the Application creates a session with the requester once the code is validated. Does that make any sense? How to protect against that?

M. M
  • 520
  • 1
  • 5
  • 9

1 Answers1

0

To take advantage of that, the attacker first needs to obtain the redirect url. This is the hard part. The redirect will get sent from the authorization server to the resource owner, and requires HTTPS.

Once an attack is able to snoop on this, most security is out of the window.

Evert
  • 93,428
  • 18
  • 118
  • 189
  • So the redirect url is as safe as [passing sensitive information on query params](https://stackoverflow.com/questions/323200/is-an-https-query-string-secure) over HTTPs? – M. M May 04 '20 at 18:00
  • @M.M yes, passing tokens via urls does indeed have issues, especially given that these urls may end up in logs and caches. However, the `code` should be very short-lived and single-use, which should mitigate this quite a bit. – Evert May 04 '20 at 18:24
  • If the attacker somehow gets access to the code _before_ the code was validated, there will be a problem. – Evert May 04 '20 at 18:24
  • Perfect, thanks for answering the question and the details on the URL! – M. M May 04 '20 at 18:31
  • @M.M you might also be interested to know that OAuth2.1 is under development, has a good draft and will require additional signatures on authorization_code. However, I think this issue is still unchanged. – Evert May 04 '20 at 18:35