Reputation: 2746
How and why is Google OAuth token validation performed?
Between access tokens, refresh tokens, scopes, audiences, and client IDs, I was confused when the Google OAuth documentation instructed me to validate all tokens in order to prevent the confused deputy problem. The Wikipedia article linked to only describes the general problem at a high level, not specific to OAuth or even network authentication. If I understand it correctly, token validation is not even part of OAuth2 but actually depends on the specific implementation. So here is my question:
How and why is Google OAuth token validation performed?
A concrete example of the confused deputy problem in this context would be especially appreciated. Also note that I ask this in the context of entirely client-side apps, if that makes a difference.
Upvotes: 24
Views: 10947
Answers (2)
Reputation: 4713
Google is referring specifically to the access token.
In the context of OAuth 2.0, the confused deputy problem applies to the Implicit Grant protocol flow when used for authentication. What Google calls "OAuth 2.0 for Client-side Applications" is based on the implicit grant protocol flow.
Since the implicit flow exposes the access token to the end user through the URI fragment, it introduces the possiblity that the access token might be tampered with. A legitimate app (an OAuth client) can become the confused deputy by accepting an access token that was issued to a different (malicious) app, thereby giving an attacker access to a victim's account.
The critical step in validating the access token is that the app verifies that the access token was not originally issued to a different app. Google calls attention to this when they say:
Note: When verifying a token, it is critical to ensure the audience field in the response exactly matches your client_id registered in the APIs Console. This is the mitigation for the confused deputy issue, and it is absolutely vital to perform this step.
As a simplified example, imagine there are two apps: (1) FileStore, a legitimate file storage app, and (2) EvilApp. Both apps use Google's authentication process for client-side apps. Alice is an innocent end user, and her Google user ID is XYZ.
- Alice signs into FileStore using Google.
- After the auth process, FileStore creates an account for Alice and associates it with Google user ID XYZ.
- Alice uploads some files to her FileStore account. So far everything is fine.
- Later, Alice signs into EvilApp, which offers games that look kind of fun.
- As a result, EvilApp gains an access token that is associated with Google user ID XYZ.
- The owner of EvilApp can now construct the redirect URI for FileStore, inserting the access token it was issued for Alice's Google account.
- The attacker connects to FileStore, which will take the access token and check with Google to see what user it is for. Google will say that it is user XYZ.
- FileStore will give the attacker access to Alice's files because the attacker has an access token for Google user XYZ.
FileStore's mistake was not verifying with Google that the access token it was given was truly issued to FileStore; the token was really issued to EvilApp.
Others have described this much more elegantly than I:
- http://www.thread-safe.com/2012/02/more-on-oauth-implicit-flow-application.html
- http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
- https://www.rfc-editor.org/rfc/rfc6749#section-10.16
I hope this explains the why part of access token validation with client-side apps, and how it relates to the confused deputy problem.
Upvotes: 50
Reputation: 3306
How are you using OAuth2? Do you obtain an authorization code and exchange for refresh token? Or are you obtaining access tokens directly via your frontend?
If you're receiving an authorization code, you're done, as the check for client_secret performed by Google in the backend guarantees that all tokens returned in exchange for the authorization code were issued for your application.
If you're receiving an access_token+id_token through frontend, then you should validate the id_token signature using the recommended libraries, then validate that the 'aud' field in the id_token matches the one you registered for your application w/ Google. For complete security, also cross-validate the access_token with the id_token (the id_token includes a truncated hash of the access_token as filed 'at_hash'), as documented in: https://developers.google.com/accounts/docs/OAuth2Login
Upvotes: 3
Related Questions
- Understanding Google OAuth2 Refresh tokens
- How to validate Google OAuth JWT
- OpenID connect - DO I need to verify the token at google at any request the user is making to my server?
- How does "auth code and access/refresh token" exchange happens in Google oAuth flow
- how does token validation works on token based authantication systems
- Validating Google OAuth id token received from oauth2/v4/token
- Google+ Server Side Token Validation
- Understanding the Google Sign-in flow with token validation
- How does ASP.Net Web API validate OAuth 2.0 token?
- How does google check refresh token - client binding for their OAuth 2.0?