oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard

Published 20 hours ago verified publisher icon go-oauth2

Why do I have to pass client_secret when using the password grant type?

Open fr3fou opened this issue 6 years ago • 6 comments

I'm implementing 2 backends, one of them is for authentication and the other one contains business logic. A client is going to login with their username and pass to the authentication backend using the password grant type. I've tried it and it works all fine, but I have to pass in my client_secret when making the password grant type request.

How can I circumvent that?

fr3fou avatar Sep 07 '19 09:09 fr3fou

Client_secret is a mandatory option of the protocol and cannot be omitted. Of course, this step can also be assembled on the server. The client only provides the username and password.

LyricTian avatar Sep 08 '19 01:09 LyricTian

Mind giving an example of how it would be assembled on the server?

fr3fou avatar Sep 08 '19 10:09 fr3fou

@fr3fou, From using the library, I see we only use the client_secret in the Authorization header i.e. Authorization: Basic client_id:client_secret Is this what you mean?

CalvoM avatar Oct 20 '20 19:10 CalvoM

For anyone reading this in future, I think the answer is that you shouldn't allow clients to interact directly with the auth server, as this is insecure.

Your web-app should have an authentication endpoint, and then it should call to the auth server. The auth server can then be firewalled to only allow access from the web-app. Firewalling + client:secret makes for a very secure solution.

The web-app can also handle throttling of requests, meaning the auth server can't be DOS attacked.

JamesArthurHolland avatar Mar 11 '21 14:03 JamesArthurHolland

For anyone reading this in future, I think the answer is that you shouldn't allow clients to interact directly with the auth server, as this is insecure.

Your web-app should have an authentication endpoint, and then it should call to the auth server. The auth server can then be firewalled to only allow access from the web-app. Firewalling + client:secret makes for a very secure solution.

The web-app can also handle throttling of requests, meaning the auth server can't be DOS attacked.

may I ask why it is not secure?

fr3fou avatar Mar 11 '21 16:03 fr3fou

Because then anyone could try to brute force guess passwords. You need to rate limit requests, and that's not the responsibility of the auth server.

Also, I think this server relies on the user supplied information being somewhat trust worthy.

I.e username and password should be sanitised before hitting the auth server.

JamesArthurHolland avatar Mar 11 '21 16:03 JamesArthurHolland