Reputation: 37
Why does Authorization Request not require client secret in OAuth2 Authorization Code Grant Flow?
In OAuth2.0 Authorization Code Grant as stated in RFC 6749, the token request requires client secret according to sec4.1.3; however, the authorization request is not according to sec4.1.1.
Does anyone know why? It seems using client secret for both authorization and token request makes the process more secure.
Upvotes: 2
Views: 1522
Answers (1)
Reputation: 116868
They are different because they are two different types of requests. 4.1.1
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Is used to display the actual consent screen to the user.
Once the user has accepted then the code is exchanged for an access token
>HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
No secret is needed because you are currently in the Authorization Code section of the document.
4.1. Authorization Code Grant
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
Authorization Code is sometimes refereed to as the Implicit flow, as the required access token is sent back to the client application without the need for an authorization request token. This makes the whole flow pretty easy, but also less secure. As the client application, which is typically JavaScript running within a Browser is less trusted, no refresh tokens for long-lived access are returned. Returning an access token to JavaScript clients also means that your browser-based application needs to take special care – think of XSS (Cross-Site Scripting) Attacks that could leak the access token to other systems.
Basically a user implicitly trusts their pc so there is really no need for the client secret validation step. Client secret is only needed for server sided applications where the user does not have access to the server so the server must validate itself.
Upvotes: 2
Related Questions
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- Why do I need a client id for OAuth2 password grant flow?
- Why client authentication is NOT mandatory with Authorization Code Grant and Implicit Grant in OAuth2.0
- OAuth 2: authorization_code Grant - Is client_secret param neccesary?
- OAuth2 Sending Client secret in authorization step
- How and why ot protect client secret in oauth2
- Understanding the need of client id, client secret in oauth 2.0
- Are Client Credentials optional in the oAuth2 Resource Owner Password Credentials Grant flow?
- Why isn't client secret encrypted in OAuth?
- What's the purpose of the client secret in OAuth2?