Reputation: 120
IBM Mobile First 8.0 oAuth flow "client_id" and "redirect_uri" exposed in GET Request
We are using IBM Mobile First 8.0 framework with our IOS application. The framework uses oAuth2.0 flow for authentication flow.
I see client_id and redirect_uri are being passed to authorization endpoint in GET request. It seems this flow is actually taken care by Mobile First framework and I don't have any control over it.
response_type=code
scope=
client_id=CLIENT_ID
redirect_uri=REDIRECT_URL
What are the security vulnerabilities of exposing "client_id" and "redirect_uri" in GET Request?
EDIT:
I changed the redirect_uri in code and issues request to Authorization end point.
I thought their was some whitelisting done in framework level but it is not the case.
This is what I see , the authorization_code is passed to hackerserver. http://hackerserver:port/context/getdata?code=authorization_code
Upvotes: 0
Views: 462
Answers (1)
Reputation: 49371
There are no known risks of those values being exposed. Those values are used with other encrypted data in the client SDK to identify a client. They are not enough by themselves.
Also, as iddo mentioned in the comments, you are supposed to use SSL/TLS. Someone being able to listen in your traffic is a problem in itself, regardless of client IDs and whatnot.
Upvotes: 2
Related Questions
- objective c - preauthorize request body with device_id
- MobileFirst 8: get client data ( IP address, request data ) in UserAuthenticationSecurityCheck
- How to handle redirect url for mobile application - OAuth 2.0 Authorization Code Flow with PKCE
- MobileFirst Adapter obtain OAuth Token
- Try to get auth token from MobileFirst8.0 to web application
- MobileFirst 7.1 OAuth Token Request
- IBM Mobile First 8.0 oAuth - Authorization code delivered to unintended server
- MobileFirst Adapters - Why am I getting a "401 Unauthorized" error when making request on Swagger Docs page in the MobileFirst Operations Console
- MobileFirst OAuth and Logout
- MobileFirst OAuth Logout, cached OAuth indentity