Reputation: 6287
OAuth client id and guessing
OAuth manual https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ says that
The client_id is a public identifier for apps. Even though it’s public, it’s best that it isn’t guessable by third parties, so many implementations use something like a 32-character hex string. It must also be unique across all clients that the authorization server handles. If the client ID is guessable, it makes it slightly easier to craft phishing attacks against arbitrary applications.
Why should I care about client-id guessing? It is public. Anyone can read it. Why should I make it hex string?
Can I have own oauth provider that has only few client ids, e.g. app1, app2, app3. I will use PKCE and server redirect to well known urls only.
How that is vulnerable to phishing having such short client-id values?
Upvotes: 2
Views: 427
Answers (0)
Related Questions
- Understanding client_id and client_secret
- OAuth using client_id and client secret for token request, is it secure?
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- Oauth 2.0: client id and client secret exposed, is it a security issue?
- OAuth2 without Client Secret – Possible Phishing?
- Create an OAuth compatible SSO: troubles with client_id mixups
- Creating a client_id and registering an account using OAuth
- No client with requested id
- What is preventing fake apps from hijacking a legitimate apps OAuth2 clientId?
- OAuth 2.0 token abuse by client app