0

Let's say, in Oauth implicit flow, the redirect uri I provided is http://www.abc.de/de

Then the oauth2-server will responde with a 302 and the location will say something like:

http://www.abc.de/de#access_token=blabla&token_type=bearer

Then my browser redirects me to http://www.abc.de/de without the url hash part, right?

How is the url hash added to my redirect uri? Does the Outh2-server simply add it and then set the location to that value?

And how do I know that the value given in the access_token is trustworthy? The location is part of the http request right? So while url hashes are not sent to the server, the location value could be intercepted and meddled with by a MITM attack.

Or am I mixing things up here?

user3629892
  • 2,960
  • 9
  • 33
  • 64

1 Answers1

0

i think the identity server will never send those token back unless the url is added to trusted urls on the server. so if someone create a page in the middle and make people authenticate on it, will never get the token back because the client url is not trusted

Fateh Mohamed
  • 20,445
  • 5
  • 43
  • 52