oauth2_client icon indicating copy to clipboard operation
oauth2_client copied to clipboard

Published 20 hours ago verified publisher icon teranetsrl

Fix web popup Oauth

Open danReynolds opened this issue 2 years ago • 3 comments

The current implementation of the popup-based web OAuth handoff is broken on browsers that enforce a same-origin COOP policy (cross origin opener policy) since the window.opener value in the spawned popup will be null and the parent's access to the window.closed as described here: https://web.dev/why-coop-coep/#coop. The current implementation in this lib relies on an onMessage event from the popup which similarly is blocked by COOP.

This means that the opener has no way of knowing when the Oauth redirect has occurred and can not access the code returned from the OAuth handoff in order to finish the flow.

Screen Shot 2022-10-07 at 12 30 02 PM

This security feature has shipped and is the default behavior in major browsers like Chrome and Firefox as noted here https://bugs.chromium.org/p/chromium/issues/detail?id=1221127 and I've run into this problem firsthand using oauth2_client in Chrome.

I don't have a great fix at this time, the only thing that has worked for me is to use localStorage to pass the code between the popup and the opener but I recognize that storing sensitive data in local storage like the Oauth code is a vulnerability for any malicious JS code that can access it on your domain. I've held off on shipping anything to a production app until I can get a read from folks on if there is a better alternative.

Let me know what people think, I'm interested in exploring the solutions here further. Thanks

danReynolds avatar Oct 07 '22 16:10 danReynolds

Hi @danReynolds, thank you for pointing out the problem and for suggesting a workaround. As you said, using localStorage doesn't seem to be the most secure solution. I think we should take some time to look for alternative methods, resorting to your solution if no better alternatives come around.

I'm open to suggestions from anyone who has any ideas!

okrad avatar Oct 19 '22 20:10 okrad

Hello! I am also interested on this topic, since when I just started using this library on web I realized the same. This approach for me works fine, but I am also aware that is not the best solution in terms of security. Is it planned to merge this PR in the near future?

Thank you!

francescreig avatar Jun 12 '23 16:06 francescreig