Reputation: 465
Is Oauth2 authorization code bound with the client id?
I tried to login with two separate website, both using "login with Google". Intercepted the auth code from the 1st site, and exchange it with the auto code to the 2nd site. Neither site will let me login. I remember in RFC6749 it is not specified that the auth code to be bound with any identity, is it implemented so to increase security?
Upvotes: 3
Views: 782
Answers (2)
Reputation: 13059
Short answer : Authorization code is bound to the client it was issued
This is strictly enforced by the RFC6749 and stated in 4.1.3. Access Token Request section. Also, it is one of many checkes authorization server perform to validate a token request. Specification has following stated,
The authorization server MUST:
o ensure that the authorization code was issued to the authenticated confidential client, or if the client is public, ensure that the code was issued to "client_id" in the request
So when authorization server will cross check authorization code against client id or client credentials depending on client type.
Furthermore, authorization code is a temporary secret which must not be exposed to other parties. This is highlighted in security consideration's 10.5. Authorization Codes section.
Upvotes: 3
Reputation: 1590
This is indeed part of OAuth2.0 security:
Exchange the Authorization Code for an Access Token
We’re about ready to wrap up the flow. Now that the application has the authorization code, it can use that to get an access token.
The application makes a POST request to the service’s token endpoint with the following parameters:
grant_type=authorization_code - This tells the token endpoint that the application is using the Authorization Code grant type.
code - The application includes the authorization code it was given in the redirect.
redirect_uri - The same redirect URI that was used when requesting the code. Some APIs don’t require this parameter, so you’ll need to double check the documentation of the particular API you’re accessing.
client_id - The application’s client ID.
client_secret - The application’s client secret. This ensures that the request to get the access token is made only from the application, and not from a potential attacker that may have intercepted the authorization code.
Upvotes: 1
Related Questions
- What is the difference between authorization code and Client Credentials?
- Understanding client_id and client_secret
- OAuth 2.0 Implicit Grant Flow - clientId and accessToken exposure security
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- OAuth2: What exactly is the "client"
- In OAuth2, does the Authorization Server send the auth code directly to the Client, or to the Client through the Resource Owner?
- Understanding Client in OAuth2
- Understanding the need of client id, client secret in oauth 2.0
- OAuth 2.0 definition of clients
- xAuth on OAuth2 client_id vs client_key?