33

Going through the new OAuth2.0 Specs ( rfc 6749 ), I see that Implicit Grant protocol workflow uses Url Hash Fragments to exchange the 'access_token' between the Authorisation server and the public client.

See Specs: https://www.rfc-editor.org/rfc/rfc6749#section-4.2

Cannot the Authorisation grant response be send as 'Query Params' instead of the Url fragment, keeping other parts of the flow as it is ?

Basically I cannot understand the limitation that made spec authors of OAuth2 chose url hash fragments for Implicit grant flow authorisation ?

Community
  • 1
  • 1
aknon
  • 1,408
  • 3
  • 18
  • 29

2 Answers2

23

the Implicit Grant flow is done for java script clients and I think they are using '#' instead of '?' to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason "not sharing your access token over network may be unsecured like one used for redirect URL"

Bassem Reda Zohdy
  • 12,662
  • 3
  • 33
  • 39
  • 1
    Thanks Bobo ! Agree to you explanation. Reading specs it never occurred to me that Redirection to the Redirect does not involve TLS, that makes tokens susceptible to 'man in middle attack' – aknon May 27 '13 at 06:45
  • 1
    But this brings one question related to the Authorisation Code grant flow. This flow, asks Auth servers to issue a 'code' on successful validation and redirects user-agents to the redirect_url along with the code. Since this redirection does not involve TLS, does not it means that security of the authorisation 'code' is compromised ? – aknon May 27 '13 at 07:04
  • 1
    the code is used for only one time to generate token and it is required client ID and client Password so it is secured as the client password is not shared just client system know it. – Bassem Reda Zohdy May 27 '13 at 08:02
  • can anyone tell me how to process this given url fragment in rails application – coderVishal Nov 20 '15 at 09:23
  • 1
    @coderVishal Rails is a server side framework. The url fragment is explictly not sent to the server and thus will not be available to your rails application. This is what the authorization code flow is for (which incidentally is also more secure). – Robba Jan 19 '16 at 20:48
  • 1
    @coderVishal No worries, the spec is lengthy and can often be confusing. I personally benefitted alot from online courses like you can find on for instance Pluralsight. – Robba Jan 20 '16 at 07:54
  • ooh really, will look into the course. 0Auth has been quite confusing for a newbie like me. Actually this was my first task in my first job. – coderVishal Jan 20 '16 at 08:33
  • @coderVishal if you would like to get token at server side have to use Authorization Code Grant Flow in this case the code is coming with question mark "?" then from your server have to hit Authorization server to get token from code, the code has short life the only use of it is to get token, and valid for one time only. – Bassem Reda Zohdy Jan 24 '16 at 06:02
14

Adding my 2 cents ..

The URI Fragment is used instead of query parameter , from security point of view. The URI segment will never be sent over the network to the redirect url. For e.g. after login on the Oauth Authorization server, the location header will have "ur redirect url"#access_token=uraccesstoken and the response code will be 302. When the browser sees the 302, it will redirect to the location header value automatically (the user agent does it automatically and the javascript cannot stop this (afaik) ).

Since its a URI fragment, only the redirect url is sent across the network, the uri fragment is not.

If it was a query parameter, the query parameter will also be sent over the network. Even with TLS, the query parameter will be visible in your proxy logs, making our access token known to unintended people, causing a leak of the access token.

Vaya
  • 560
  • 6
  • 20