CODEWITHSUNDEEP
javascriptsecurityoauthsingle-page-application
Jakub
Jakub

Reputation: 415

OAuth2 without Client Secret – Possible Phishing?

I've been reading the OAuth2 specs over and over, but I can't figure out one thing. Isn't the Authorization Code flow without Client Secret (which is now recommended for single page apps) highly insecure because it can easily be used for phishing? Let me explain:

  1. The Client redirects the Resource Owner to the Authorization Server, passing the Redirect URL and Client ID.
  2. The Resource Owner approves the request and the Authorization Server redirects him to the given Redirect URL and passes the Authorization Code.

Now, in reality, the Client that requested the authorization is a phishing site which the user, unfortunately, didn't recognize. The Redirect URL passed to the Authorization Server points to the malicious Client, not to the legitimate one. The Client ID is a public information, so setting up such site is fairly easy.

What will happen if the Client Secret is required?

  1. The malicious Client will receive the Authorization Code, but it doesn't know the legitimate Client Secret.
  2. The Resource Server will refuse to send an Access Token, as a valid Client Secret wasn't provided. The user information is safe.

But what if the Resource Server doesn't require the Client Secret?

  1. The malicious Client will receive the Authorization Code, and even though it doesn't know the Client Secret, it will request an Access Token.
  2. The Resource Server will accept the request, as a valid Authorization Code and Client ID is provided and Client Secret is not required. The malicious Client obtains the Access Token and the user information is compromised.

Am I missing something or is this correct and there's nothing that can be done to make using OAuth2 with single page apps more secure?

Upvotes: 6

Views: 8259

Answers (1)

Ben Barber
Ben Barber

Reputation: 393

The resource server doesn't require a client_secret as only valid clients can obtain an redeem an authorization code.

A client must be validated against not only the client_id but also the redirect_uri that is registered to the client. When registering an OAuth Client you should require a list of permitted redirect_uri's that are permitted for use with the client_id.

So if a malicious client made a request it would fail validation as you must only redirect if the redirect_uri is permitted.

This is detailed in the OAuth 2.0 RFC under section 3.1.2.2 https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.2

Upvotes: 12

Related Questions