6

Some OAuth providers (like Google or Facebook) only grant limited privileges to the third party apps, and they state so clearly on the authorization page. For example, they say that an app can see who you are and your friend list, but not post on the wall. And so on.

Not all providers do it, though. With some of them, once a user authorizes the app and the provider issues the token, apparently you can do anything. The consumer can just keep the token and do whatever it likes as that user - for years (as is the case with JIRA) unless explicitly revoked by the user.

Is this correct? How do you deal with this craziness, if an API allows 3rd party apps to fully impersonate you without boundaries?

Relevant piece of docs from Atlassian (for the JIRA example): https://confluence.atlassian.com/display/APPLINKS/Configuring+authentication+for+an+application+link

Konrad Garus
  • 755
  • 1
  • 7
  • 8
  • I guess it has something to do with the nature of the application. For example, in terms of security, you are more likely to have tightened security is say Facebook because it's in the public domain and their users NEED to know what information is being accessed. I noticed, on the link you provided: request determines the level of access to use based on the access permissions of that pre-configured user this to me says that data / services are accessible based on the auth settings of the user. – Phorce Oct 30 '15 at 10:09
  • @Phorce Correct. But if the app is malicious and gets a privileged user to log in, it can do everything impersonating them - right? – Konrad Garus Oct 30 '15 at 10:13
  • 1
    Yes, in theory. But this comes down to protection. To why would an application (Facebook) need to know your password? There is only so much an authenticator can do, at the end of the day you could argue that the user should be aware not to install these applications AND usually, people who operate applications such as JIRA are system administrators and technicians who should be well aware of what could potentially happen if installing applications that were malicious. If a general user installed an application that was malicious the implications would be as high. – Phorce Oct 30 '15 at 10:20
  • I am learning this working on a custom app talking to JIRA.

    At the very least, it means you have to be extremely cautious with such apps. Understand that as soon as you authorize them, they can do everything, and for a long time (unless you go through the hassle and manually revoke the token).

    It means you have to absolutely trust the application's creator (or review its code prior to install) and its environment (e.g. server access). App creators have to understand this as well, before they consider just saving tokens to disk.

     – Konrad Garus Oct 30 '15 at 10:26
  • Maybe this might shed some light.. https://confluence.atlassian.com/jira/managing-global-permissions-185729559.html – Phorce Oct 30 '15 at 10:36

1 Answers1

2

Yes... if you give it permission to do so.

An OAuth access token has as much power as you give it. Usually, you get asked how much privilege you want to give through that access token at the moment you log in with the OAuth provider. If you decide to give full access to everything then, yes, the application that receives the access token can do anything as if it was you.

It's similar to giving a temporary set of key of your house to a complete stranger that you meet on the road. Still, the saving grace is that it's temporary (usually) and that you can revoke it. In that way, OAuth is still much better than simply giving your username/password to a 3rd party application when you want it to access your information.

OAuth still protects your password and the 3rd party application is nearly always more limited in what it can do with an access token than if it had your real password. This is where OAuth shine and why it was created; giving limited access to your private information for a limited period of time with your consent (and often your ability to revoke that access).

Conclusion

At the end of the day, if you decide to trust malicious application, there is nothing that can save you. BUT, trusting a malicious application via OAuth is much better than giving it your password.

Gudradain
  • 6,991
  • 2
  • 27
  • 44