Reputation: 377
OAuth2 without secret
I'm trying to build a OAuth2 provider that won't need any secret token or url_redirect whitelist.
Here's the idea:
- You copy paste the button on your website
- Provider (us) authenticates user, gives him a auth token linked to HTTP_REFERER in our database (using window.postMessage to send the token back to the parent window).
- Site asks user infos from Provider (us) with referer_origin as a parameter.
That way, we are sure that tokens will always stay on the same domain. No need for secret keys. Is there a flaw in my schema?
Upvotes: 0
Views: 1294
Answers (1)
Reputation: 6726
If you are using implicit flow, your scheme has no drawbacks: client_secret makes no sense for implicit flow anyway.
In case of authorization code flow, client_secret serves one additional purpose which is not covered by your scheme: It prevents desktop applications from impersonating other applications. Within a browser, your scheme will work because browser enforces URL check (within postMessage, or via redirect), but it is possible to build a desktop application or a shell-script, which pretends to be client_id=x, gets the authorization code and then exchanges it to access token. client_secret prevents this.
Also note that displaying login screen within an iframe is also a security issue: Other applications may impersonate your iframe and capture user credentials without user noticing that.
Upvotes: 2
Related Questions
- OAuth 2.0 Authorization Code Grant without secret
- OAuth2 - Authorize with no user interaction
- How to do non-interactive oauth2 api call?
- OAuth flow without asking user for authorization
- using oauth for API without 3rd party
- OAuth2 - how to authorize without client secret?
- OAuth2 Login (Not Authorization)
- Does OAUth 2 allow authentication without UI (to an account with hard coded credentials)?
- OAuth Authorization without login
- How to keep the oAuth 2.0 Client Secret a secret?