oauth2-server-php-docs icon indicating copy to clipboard operation
oauth2-server-php-docs copied to clipboard

Published 20 hours ago verified publisher icon bshaffer

Note on Implicit Grant Type Security

Open bshaffer opened this issue 12 years ago • 0 comments
trafficstars

Moving https://github.com/bshaffer/oauth2-server-php/issues/81 to here

From @bojanz:

The implicit flow is less secure than the authorization code flow, neither the spec or any other resources attempt to hide that.

A potential problem revolves around mistakenly using OAuth2 not just for authorization, but for authentication as well. An attack is described in http://homakov.blogspot.com/2012/08/oauth2-one-accesstoken-to-rule-them-all.html and can be resolved by implementing an additional call to validate the access token after it has been received (send the token and a client id, get a status and a list of scopes back).

I think it would make sense to have a note in the README about this.

As the people providing the library (and Drupal integration in my case), we are responsible if people shoot themselves in the foot with it.

Another related resource: http://homakov.blogspot.com/2013/03/oauth1-oauth2-oauth.html>

bshaffer avatar Aug 12 '13 17:08 bshaffer