Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How exactly hash fragment based security works?

Tags:

java

oauth

user-agent

oauth-2.0

I'm learning OAuth 2.0 and couldn't get the way of securing access token in implicit grant flow. There are some theses in specification and some upvoted SO answers looking contradicting to each other. Could somebody clear it up? Quotes from SO answers and specification that are confusing me:

  1. (From spec) Redirection URI used to deliver the access token to the client. The access token may be exposed to the resource owner or other applications with access to the resource owner's user-agent.
  2. (From spec) Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. Access token credentials MUST only be transmitted using TLS.
  3. (From accepted and upvoted SO answer) In the implicit flow the access token is passed as a hash fragment, only the browsers are aware of hash fragment. Browsers will pass the hash fragment directly to the destination webpage/the redirect URI which is the client's webpage (hash fragment are not part of the HTTP request) so you have to read the hash fragment using Javascript. Hash fragment cannot be intercepted by intermediary servers/routers (this is important).

My question:

P1 says that token delivered to client via Redirection URI and P2 says delivery channel MUST be TLS-ed. But P3 says that hash fragment not sending to the network. How access token reaches client if it is not sending because it's hash fragment? Anyway, it has to be sended by network isn't it? Or sending token with redirection URI makes some magic without network deals?

The only probable explanation - under the hood browser sends only non-hash part of url by network and after loading new page, just inserts hash fragment and make it available to JS. If I'm right I still can't understand why don't we simply send token with reliable, secured HTTPS channel as response parameter?

like image 434
Baurzhan Avatar asked Sep 10 '14 12:09

Baurzhan

People also ask

What are hash fragments?

A hash sign (#) in a URL is referred to as a fragment. Historically, URL fragments have been used to automatically set the browser's scroll position to a predefined location in the web page. In that sense, if a URL refers to a document, then the fragment refers to a specific subsection of that document.

Is URI fragment sent to server?

Fragment identifiers are not sent to the server. The hash fragment is used by the browser to link to elements within the same page.

Can a URL have more than one fragment?

A URL cannot have more than one fragment. URL parameters are passed in key-value pairs. URL fragments comprise just a string of text after the hash (#).

Which part of the URL is called the fragment or hash?

The fragment identifier introduced by a hash mark # is the optional last part of a URL for a document. It is typically used to identify a portion of that document.

1 Answers

The OAuth Provider sends the Access Token back to the OAuth Consumer with a HTTP Response redirect:

HTTP/1.1 302 Found
Location: https://consumer.org/redirect_uri#access_token=1111-2222-3333-4444

Note how the access token is sent through the network, as part of the HTTP response from the OAuth Provider, which ALSO should be on HTTPS in addition to the consumer.

Your browser will then perform a new HTTP GET request to the consumer endpoint:

GET /redirect_uri HTTP/1.1
Host: consumer.org

Note how the access token is NOT sent to the consumer through the network. The server at consumer.org will not receive the token in this HTTP request. Instead the web page returned from https://consumer.org/redirect_uri will contain javascript that is able to and will read the access token from the url fragment.

Consequently, you need to trust the javascript code that you receive from consumer.org (by using HTTPS) because if an attacker can inject code, it can also indirectly obtain the access token (and send it anywhere).

Example of HTTP response from the consumer:

200 OK
Content-Type: text/html

<html><head><script> 
    alert(window.location.hash) 
</script>
</head><body></body></html>
like image 65
Andreas Åkre Solberg Avatar answered Sep 30 '22 18:09

Andreas Åkre Solberg
Sign in to Comment

Related questions

Java Scanner(File) misbehaving, but Scanner(FIleInputStream) always works with the same file
Finding number of errors in an eclipse project
How to find longest common substring using trees?
how to serialize/deserialize arrayList(Object)
Force java to release all file locks/handles in Java
getting input from stdin
Spring SimpleJdbcCall default (optional) arguments
Java API for swing for holidays dates in hindu calendar of any year
What is the meaning of "From Space" and "To Space" shown in jmap?
Null-safe method chaining with Optional
Generics vs. Method Overloading
BroadcastReceiver not receiving download complete action
Is there an utility to parse an URL without checked exception in java?
Requested resource is not available in spring MVC
Can Java Protocol Buffers ever return null on the list getter of a repeated field?
Push Notification in Spring MVC WebApp
How can a 1 year old (java) lib correctly perform an UTC Time formatting, considering a newly introduced leap second
Caused by: java.net.SocketException: Unexpected end of file from server
Added Maven dependency, Eclipse doesn't see it
Spring can't determine generic types when lambda expression is used instead of anonymous inner class

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!