IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [oauth]

OAuth is an open standard for authorizing access to data. It is a service that is complementary to, but distinct from, OpenID.

525 questions
37
votes
4 answers

How secure are expiring tokens and refresh tokens?

In the comments of a question on StackOverflow, OAuth2 Why do access tokens expire?, people are questioning how secure refresh tokens are. This comment is how I feel: So it provides some protection from packet sniffing, as long as the intercept…
Luke Puplett
  • 553
  • 1
  • 4
  • 9
17
votes
3 answers

OAuth - What if the refresh token is stolen?

It seems I don't quite understand the idea behind the refresh token yet. Assuming that a short-living access token is used, this token might get stolen, allowing the attacker to access the resource until it expires (maybe 3600 seconds). But what if…
user66875
  • 463
  • 1
  • 6
  • 11
17
votes
1 answer

Odd history of OAuth 2 device flow

OAuth 2 device flow has an odd history. It's found in early versions of the RFC, but was then taken out seemingly without an explanation I could find. Recently, a new draft was proposed specifically to reintroduce it independently. The device flow…
HTKLee
  • 1,852
  • 16
  • 30
14
votes
1 answer

In Oauth what is the benefit of the access token being opaque

Why was the decision taken that the Client doesn't need to be able to parse the access token? It seems to me that if the token included, in addition to the current fields, a client_id and a user_id, it would make life much simpler, prevent spoofing,…
Johan
  • 511
  • 5
  • 18
11
votes
2 answers

What's the point of the client secret in OAuth2 if it doesn't need to be used?

Simple as that! Clients that can't maintain the secrecy of the client_secret in OAuth2 don't have to use it. So what's the point of having it at all, if it's not necessary? What am I missing here?
Dancrumb
  • 2,636
  • 3
  • 16
  • 15
10
votes
2 answers

OAuth - Why exchange the authcode for a token

In OAuth, when the user authorizes the client the client gets a authorization code, the client then exchanges this for a token that is used to access the resource. Why do we need to do this extra exchange of authzcode for the access token? Couldn't…
Stefan Rasmusson
  • 456
  • 2
  • 12
9
votes
3 answers

OAuth2 authorization - save token in the cookies or in the session?

I'm a security newbie. I'm implementing oauth on my site and I want to ask where I should save my access token: cookies session (will be fetch from the server via ajax request) I have backend (restful) and frontend (SPA). Communication only…
Pleerock
  • 211
  • 1
  • 2
  • 4
7
votes
2 answers

Why does OAuth2 demand client credentials in an authorization header?

In section 2.3.1 of the the OAuth 2.0 Authorization Framework it states: The authorization server MUST support the HTTP Basic authentication scheme for authenticating clients that were issued a client password. It goes on further to…
Adrian Toman
  • 171
  • 5
7
votes
2 answers

Why not use PKCE for backend apps, too?

For SPA/frontend apps, you should be using PKCE these days for OAuth flow. But the backend apps have this additional complexity of having to have a secret key and use that key to talk to the token endpoint. Why not just use PKCE on the backend, too?
Mitar
  • 191
  • 3
7
votes
1 answer

Is it safe to store twitter access tokens client side?

After the Twitter oauth process, once I finally get my access_token_key and access_token_secret is it safe to store these in a javascript variable client side? As far as I can work out nothing can be done with these keys without the…
coffee
  • 73
  • 4
7
votes
2 answers

Should I avoid this token-based authentication scheme (that's not OAuth)?

I've dealt with OAuth before but I'm not too sure about the API I'm working with now. My question is basically, is this woefully insecure? As I understand it, oAuth does the following (roughly): Service X gives me a key and a secret I ask the user…
djb
  • 173
  • 5
7
votes
1 answer

Should the OAuth client_id be kept confidential?

I want my OAuth Authorization Server Owner to show (information about) the clients that have been registered. Is it ok to use the client_id as public client identifier or should the client_id also be confidential (like client_secret)? I'd also share…
Jakob
  • 213
  • 3
  • 5
6
votes
2 answers

Why is using implicit grant more secure than just giving out your secret key?

The company I work for has created an API that is used by mobile devices. I've been reading up on using oAuth for mobile applications and from what I understand it is recommended that you use implicit grant rather than the embedding the secret key…
Abe Miessler
  • 8,195
  • 11
  • 49
  • 73
6
votes
1 answer

Does OAuth effectively mean allowing an app to do everything as me?

Some OAuth providers (like Google or Facebook) only grant limited privileges to the third party apps, and they state so clearly on the authorization page. For example, they say that an app can see who you are and your friend list, but not post on…
Konrad Garus
  • 755
  • 1
  • 7
  • 8
5
votes
1 answer

oauth2 account authentication

imagine you secured your application with oauth2 and several oauth providers. Now imagine someone using provider A with email bob@example.com to log in. Next time, someone uses provider B with the same email bob@xample.com to log in. Both provider…
rdmueller
  • 2,763
  • 3
  • 20
  • 18
1
2 3