Reputation: 481
What are the various possible ways that an attacker can compromise access_token and/or refresh_token?
There are much discussions in almost every forums about web application security (not considering mobile apps) specially using oauth2 and jwt. Everyone put their comments/answers this and that, blah..blah..blah about security tokens (assuming almost all of the valuable web might have gone stateless by this near end of '2016'). Seriously, I am not aware if it is so easy, I have found everyone writing their answers against an imaginary attacker as if it is so relaxed and easy to attackers to steal a user's client side web app access_token and refresh_token. What are the various possible ways that an attacker can actually compromise your web app issued access_token and refresh_token on the client side? Does this kind of compromise also depend upon the user using the web app? How easily an attacker may eavesdrop on any communications between the client and authorization server? Any open code examples if anyone wants to showcase will be highly regarded. Seeking to the point answers rather than tiring discussions about web app security. I want to apologize if it happened to be Quora like question.
Upvotes: 0
Views: 209
Answers (1)
Reputation: 16695
There are a lot of justified questions about OAuth2 security in general.
Few years ago when OAuth2 was just a draft, one of the main contributors of that specification wrote an interesting blog post on that topic. And he is right: out of the box, this framework protocol offers a lot of possibility to easily impersonate a client and get access on user resources or send valid requests including admin requests.
The main reason is that the RFC6749 clearly indicates that it relies on a TLS connection. The attacks rarely depend on the user unless the access token is exported. Man in the Middle, malicious mobile app, reverse engineering, brute force... are some of the available ways to get an access token. It is hard get an exhaustive list of all types of attacks.
However, as it is a framework protocol, nothing prevent from implementing additional security features. That is why the IETF OAuth2 Working Group is working on some very interesting enhancements to protect all stakeholders (client, authorization servers, resource servers) and communications between them.
I recommend you to read the following RFCs or drafts:
- RFC6819: gives additional security considerations for OAuth.
- RFC7800, POP Key Distribution and POP Architecture that try to replace the abandonned MAC access tokens
- RFC7009 for token revocation
- RFC7521, RFC7521 and RFC7521 that implements new client authentication methods based on JWT or SAML2 assertions
- RFC7636: Proof Key for Code Exchange to prevent malicious mobile app to get the authorization code and then the access token
Additionally, you may also be interested in the token binding draft which is (from my POV) a major improvement as it bind tokens to the TLS connection. In other words, even is the access token is compromised (or deliberately exported), it cannot be used as the TLS connection will be different.
More drafts related to the security of OAuth2 are available on the IETF OAuth2 Working Group page (see signed requests, closing redirectors, X.509 Client authentication...).
Upvotes: 1
Related Questions
- How to secure a refresh token?
- How refresh tokens add security to jwt?
- If an OAuth2 access token can be stolen, why isn't it safe to assume that a refresh token can be stolen too?
- Understanding the securing of access tokens and refresh tokens
- In OAuth2, when the refresh token request is executed to retrieve a new access token, are the previous Access Tokens invalidated?
- Refresh tokens and JWT tokens Interaction
- How to prevent refreshing a stolen access token
- Security - JWT and Oauth2 (refresh token)
- How is using JWT refresh tokens and short lived access tokens not massively insecure?
- How refresh token works (with jwt)