Reputation: 27078
Implementing Oauth2 Authorization Code Grant flow Manually
I am planning to implement Oauth2 Authorization code grant flow (With PKCE) Manually. My question is partly related to this. I am using Java, Springboot.
I want to secure my backend API's with Oauth. These api's are called by the native app. Most of the Oauth implementations for Authorization code grant require user interaction. I was wondering if its possible to avoid this. Since my application runs on a native app, I do not want user to be redirected to a browser for authentication. My app has a Register/Login functionality.
I am planning to implement a filter, where the logic would look something similar to this
if(uri contains authorize){
get all details from request
generate a uuid and store details in db with ttl
return uuid as code.
}
else if(uri contains token){
get all details from request
extract code from request and check for validity in database.
if(code valid) {
generate a JWT with access_token with ttl and refresh_token
return JWT
}
}
else{
check if JWT is present and valid
if valid proceed
}
I will also have a logic for refresh token. I want to know
- Are there any security flaws in doing like this
- Is there any other alternative way to achieve Authorization Code grant flow without user interaction.
- With respect to PKCE. Using PKCE mitigates the threat of having the authorization code intercepted, by not creating/storing the client secret. But what stops the user from sending a request to the authorize endpoint with his/her own code challenge? How safe is the client id in native app?
Upvotes: 2
Views: 1363
Answers (1)
Reputation: 14820
First of all
Do not, i repeat do NOT ever try to implement some form of custom security by yourself.
That is one of the worst things you can do. Security is complicated, and often requires multiple teams to implement. Thats why we have standard libraries for it. Use spring security.
Answers to your question:
Security flaws are everywhere. Security is so much more then just the small snippet of code you have posted. oauth2 is a standard, with exact rules as to what and how you verify and check things. So my quick answer is yes, you are not following the standard. So yes, it is insecure. Use spring security.
No, when you say user interaction, i have no idea what you are talking about. You need to follow the defined flow, and if you chose to automate the flow or not, it is up to you. Describe what it is you ACTUALLY want to do.
ClientIds or anything for that matter is never safe in any app. It all depends on the level of security you are looking for. If we are talking enterprise security you usually store all secrets in the backend and you implement some sort of BFF, for your frontend app that holds all the client secrets, and also performs the exchanges. The only thing that gets stored in the client are different type of secure cookies.
So if you choose that you actual native app is making the exchanges, or some sort of proxy service is up to you. But no, no secret is ever safe in any client.
Upvotes: 2
Related Questions
- Custom OAuth2 consent flow
- OAuth2 authorization code flow: spring-security does not accept the issued access_token
- Spring Security stateless OAuth2 Authorization Code Grant flow
- How to implement spring oauth2 custom flow?
- Convert Spring Boot and OAuth2 client from using Client Credentials flow to Authorization Code Grant flow
- oAuth2 client with password grant in Spring Security
- Implementing authorization code flow grant type OAuth2
- configure Oauth2.0 using java and spring
- Configuring OAuth 2 in Java Spring Boot
- how can i create oauth 2 username password flow over spring security