Oauth2 Without Client Secret – Possible Phishing?

November 25, 2023 Post a Comment

I've been reading the OAuth2 specs over and over, but I can't figure out one thing. Isn't the Authorization Code flow without Client Secret (which is now recommended for single pag

Solution 1:

The resource server doesn't require a client_secret as only valid clients can obtain an redeem an authorization code.

A client must be validated against not only the client_id but also the redirect_uri that is registered to the client. When registering an OAuth Client you should require a list of permitted redirect_uri's that are permitted for use with the client_id.

So if a malicious client made a request it would fail validation as you must only redirect if the redirect_uri is permitted.

Baca Juga

Redirecting To Google Oauth Flow In Progressive Web App
Oauth Popup Cross-domain Security React.js
How To Revoke An Authentication Token Client Side Against The Google Api

This is detailed in the OAuth 2.0 RFC under section 3.1.2.2 https://www.rfc-editor.org/rfc/rfc6749#section-3.1.2.2

JavaScript College

Oauth2 Without Client Secret – Possible Phishing?

Solution 1:

Post a Comment for "Oauth2 Without Client Secret – Possible Phishing?"