Reputation: 119
OAuth using client_id and client secret for token request, is it secure?
Hi I am learning about api security and reading material for Oauth. I am little confusion as below.
I am a client and using the api services from some third party. Once I as a client login to my client app and later I need to access api. Then the authorization process start. In the first step I need to get request for authorization code, once the consent is developed and Oauth server return the temporary authorization code then client will be requesting for the token. In this step client would be sending client id and client secret with other parameters. Lets say if one of the programmer who developed the code or has access to the code would know the client id and also the client secret. Once that developer leaves the company then how protected that client id and client secret is? Having the client id and client secret one can easily access the resources.
Upvotes: 1
Views: 2110
Answers (1)
Reputation: 53958
You are correct that someone with access to the client_id and client_secret - and some dedication - could potentially access the resources. Do note that it also requires obtaining an authorization code from the user, which requires phishing or some other kind of - not too difficult - attack on the side. But basically impersonating the client when you have the client credentials is easy.
To prevent that, you can use techniques that are used elsewhere for keeping secrets out of the hands of rogue developers, such as:
- rotate the client secret regularly
- change the client secret explicitly on certain events, e.g. when someone leaves or a leak was detected
- use a PKI solution for client authentication (such as
private_key_jwt) which does not require any changes on the Provider side to rollover the client's certificate/key, thus making the first two approaches easier (in case the client cert/key is compromised) - use different secrets in production that in development environments and shield the secrets in production environments from people that should not have access
- etc.
Upvotes: 1
Related Questions
- client secret in OAuth 2.0
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- Is having the client id and client secret in code a security risk?
- Oauth2.0 Authorization Code Grant ClientId & Secret Confusion
- OAuth: Should the client secret be required in the resource request?
- Security of OAuth2 Client Id and Client Secret
- OAUTH client secret security, localhost redirect URI and impersonation
- Understanding the need of client id, client secret in oauth 2.0
- Storing OAuth2 client_id and client_secret securely in a client side app
- OAuth - Security against sharing Consumer Key/Secret and list of Access Tokens