0

I'm making use of the Facebook Spring Social library.

Is the OAuth dance between the Spring Social library and Facebook when connecting secure (against man in the middle attacks etc)? If not, what do I need to do to make it secure?

The reason why I'm a bit concerned is that the Spring docs mention that Facebook uses OAuth 2 and I believe OAuth 2 has been simplified, where it relies on HTTPS to secure the OAuth dance.

P.S. my web app runns on HTTP

Markus Coetzee
  • 3,384
  • 1
  • 29
  • 26
  • I believe your question is more aptly worded in the general sense: "Is OAuth2 secure?" That's up for some debate. But if you are needing to integrate with Facebook, that's the option Facebook has presented; so you either use OAuth2 or you don't integrate with Facebook. – Craig Walls Jun 18 '13 at 17:02
  • From what I've read OAuth 2 over HTTP isn't secure. It relies on the dance being performed over HTTPS for its security. This is essentially what I'm trying to figure out, whether the Spring Social library has taken care of dancing over HTTPS if you will. – Markus Coetzee Jun 18 '13 at 17:08

2 Answers2

3

Yes, Spring Social does support OAuth2 over HTTPS when working with Facebook, both in its API bindings as well as in the OAuth2 "dance". Note the URLs in https://github.com/SpringSource/spring-social-facebook/blob/master/spring-social-facebook/src/main/java/org/springframework/social/facebook/connect/FacebookOAuth2Template.java as evidence of Spring Social using HTTPS when performing the OAuth2 "dance".

If it did not, then not only would it be a bad idea security-wise, it simply wouldn't work. Facebook does not allow you to work with it's API when access tokens are involved unless it's over HTTPS. You'll get an error if you try to pass an access token to any API endpoint (even if otherwise unsecured and even if the access token is bogus) over HTTP. For example, point your browser at http://graph.facebook.com/gopivotal?access_token=fasddasf and you'll get an error back.

So yeah, Spring Social supports HTTPS when working with Facebook. If it did not it wouldn't work at all.

Craig Walls
  • 2,080
  • 1
  • 12
  • 13
0

we're using it (a big project) extensively. we considered several ways to handle this feature and finally came to the conclusion that it is safe enough to go with spring.

actually, that part of our system was written in JavaScript, running on NodeJS and we converted it to Java because we felt more confident with Spring's implementation.

also, i think that part of the simplification they're talking about when comparing OAuth 1/2 is the dance. less roundtrips.

pl47ypus
  • 401
  • 2
  • 10
  • So did you guys look into whether the library's OAuth dance with Facebook is secure against attacks? And is your app also running on HTTP? – Markus Coetzee Jun 18 '13 at 10:46
  • yes. the guys from the security team approved using it as a client(!) launching a OAuth server isn't something they covered and i can't recommend. i have to ask, did you find something that worries you? i'm asking because, event thought i trust them (very much), i also value others opinions. – pl47ypus Jun 18 '13 at 17:15
  • Naturally, I'd be curious to know if there are any concerns with Spring Social's "dance" with Facebook. If there are, I'd hope that you'd work with me (via issue tracking at https://jira.springsource.org/browse/SOCIALFB) to sort that out. FWIW, Spring Social 1.1.0.M3 now supports the "state" parameter in the OAuth 2 dance to guard against CSRF attacks. – Craig Walls Jul 08 '13 at 18:07