Is "Resource Owner Password Credentials" safe in OAuth2?

Question

So, I'm developing an API using slim/slim and league/oauth2-server to manage the OAuth2 connection. OAuth2 will be useful because I will need to use Client Credentials grant between services.

Then, I'm also developing an hybrid app with React Native. This app will requires user login by using e-mail and password or connecting with another services (such as Facebook, Google, Twitter, etc).

And I'm confused about what OAuth2 flow to use for this case. Across the web are a lot of articles saying that Resource Owner Password Credentials is not safe anymore, and we should use instead Authentication Code with PKCE.

But I can't discover or understand how to apply Authentication Code with PKCE in a first party app, because all documentation talks about you will need the uses a browser to get authentication code in redirect_uri.

The flow I imagine is something like that:

1. User open the app, then insert your credentials username and password;
2. This screen will connect to API /request_token URI sending { 'grant_type': 'password', 'username': username, 'password': password, 'client_id': CLIENT_ID }, considering it as a public app we can't send client_secret;
3. The API validates credentials and returns some data such as { "access_token": access_token, "token_type": "JWT", "expires_in": LIFE_SPAN }, here we will use JWT to gerenate the access_token based in public/private key;
4. Authentication done, the app will store the access_token while it's alive and when it expires will do the flow to refresh_token.

My question: is it safe? Scott Brady did some "aggressive" article talking it's NEVER safe.

How apps does this things? When I use Instagram app, for example, they own the app and the API, I don't need a browser in the User Experience flow. Are modern apps using "Resource Owner Password Credentials" or "Authentication Code with PKCE"? There is a away to avoid insert browser in the flow while using "Authentication Code with PKCE"?

[EDIT] Possible Solution

As Gary Archer said "Auth Code flow with PKCE is recommended - along with logging on via the system browser", but we are not talking about grant permissions to access users data or third-party apps.

As a designer I don't agree that loggin in the first-party app owned by the same API owner requires a browser this is the not the User Experience we are looking for. And all apps we see such as Instagram, Facebook, Uber... we just put your username and password and we have access to your account.

What I will do is create a custom version of Authentication Code with PKCE removing the required_uri.

[EDIT:2] The New Flow

After a lot of search, I found some answers I think was interesting to adapt. As above, I removed redirect_url from flow. Look:

1. The flow starts in a login screen, when user give your credentials;

2. Client generates a code_verifier then hashes code_verifier to code_challenge and sends it to Authorization Server with following parameters:

   • response_type=code : indicates that your server expects to receive an authorization code.
   • client_id=xxxx : the client id.
   • client_integrity=xxxx : app integrity check for first-party app.
   • code_challenge=xxxx : the code challenge generated as previously described.
   • code_challenge_method=S256 : either plain or S256, depending on whether the challenge is the plain verifier string or the SHA256 hash of the string. If this parameter is omitted, the server will assume plain.
   • username=xxxx : username to authenticate.
   • password=xxxx : hashed version of password.
   • state=xxxx : a random string generated by your application (CSRF protection).

3. Authorization Server will validates user authentication, stores code_challenge and return the authorization_code with a client_token;

4. After receive the aauthorization_code and client_token, Client saves the client_token and immediately send authorization_code back to Authorization Server with following parameters:

   • grant_type=authorization_code : ndicates the grant type of this token request.
   • code=xxxx : the client will send the authorization code it obtained.
   • client_id=xxxx : the client id.
   • code_verifier=xxxx : the code verifier for the PKCE request, that the client originally generated before the authorization request.

5. Authorization Server will validates all data and, if everything is right, will return the access_token;

6. Client will set Authorization header with the access_token and always send client_token to every request, it will be only accepted with both values are right;
7. If access_token expires, then Client will do a request to refresh access_token and get a new one.

Now, I will reproduce this logic to PHP language. If everything goes right and I hope it does, I will be back with definitive answer.

[EDIT] Clarifications

I'm using OAuth2 to user connect with your third-party accounts (Google, Facebook, etc). But user also can log to a local account in my database. For this case, user doesn't need to grant anything at all. So, no makes sense send user to a browser to him does your login.

I wondering if, to this case, local accounts, we can use Resource Owner Password Credentials or it's more safe Authentication Code with PKCE (we already conclude it's a better approuch). But Authentication Code with PKCE requires redirect_uri, do I need uses this redirection to log users into a local account where they don't need to grant access?

Answer 1

Let's go then. After a lot research, I found some approaches that I will apply and may work correctly. So, first of all, here is the challenges:

• You must never trust in clients running in client side. There's a lot of concerns about, your applications can be decomplied, modified, the users devices can be with a malware or connection may suffer with a man in the middle attacking (MITM)...
• An API Server, even using OAuth2, will be able to only identify WHO is accessing the resources, but not WHAT is accessing. Therefore, any sensitive information will be dangerous, anything can steal it and uses it.
• Resource Owner Password Credentials makes part of OAuth2 protocol for authorize resource owner to access your resources. So, it doesn't make part of authentication process and you will your ruin if you treat it like that;
• By using ROPC grant type there is no way to know if resource owner is really making that request, what make "easy" a phishing attack. Reminds about "you know WHO and not WHAT". For last, this kind of grant makes easy for whatever thing assumes the user identity;
• This grant type also goes against OAuth2 propourse, since OAuth seeks to avoid the password use to access resources. That why many people say to don't use it;
• For reinforce, it's important to highlight ROPC is not authenticating user, but it just authorizing him to access the resource server.
• And yes, ROPC allows for refresh tokens, but there are two issues: first, client needs resupply credentials each time needed to get a new token; second, if using a long-term access code, then things get more dangerous.

To prevent a malicious thing from arbitrarily using user credentials there are access tokens. They replace passwords and needed to be refreshed in short amount of time. That's why they are so much better than HTTP Basic Authentication.

That's why is recommended to use in modern apps the Authentication Code with PKCE, it provides all features and benefits of using OAuth2 protocol. But, here cames a long discussion and, even, problem for developer community:

To get an Authentication Code some user needs to make your login in a browser, grant access, redirect back to client and, soon, client will receive a code to exchange for an access token.

This scenario works good and NEEDS to be used for third-party apps. But, what if it is a first-party app? When you own the database with user data and you own the "trusted" app, redirect user doesn't make any sense. Right?

At this moment, my question is: how can I use the AuthCode (PKCE) flow without redirect user? And, again, it's important to highlight that talking about OAuth2 protocol is always the same that "to grant client to access resource server" (authorization, not authentication).

So the real question is: why Authorization Code needs a redirection at all? Then, I came with the following answer:

This flow requires to know client credentials and user consensus to turn back an authorization code.

That's why I was wrong in my edits. There's no change needed in OAuth2 protocol (sorry me for think different). For this reason, what OAuth2 needs is a authorization mediator, above your layer. Thus, the authorization code not will turn back to client, but to authorization mediator that, finally, will return it to client. Makes sense?

How it gonna work? Well, will be need 4 different "cores":

1. Authentication Server: will be responsible to authenticate user credentials and client identity. The main objective is to prove "WHO is the user and WHAT is connecting to get authentication";
2. Authorization Mediator (one layer above OAuth2): will validate client unique identity to ensure client/user is "know" and can get an access token;
3. Authorization Server: makes part of OAuth2 implementation, nothing change. Will authorize a client to get your authorization code, access tokens an refresh tokens;
4. Resource Server: will allow access resources through an access token.

And, then, security techniques we may consider:

1. API Key: each application (client) will have your own API Key with permissions scopes associated with those keys. By using it, you can gather basic statistics about API usage. Most API services use statistics to enforce rate limits per application to provide different tiers of service or reject suspiciously high frequency calling patterns;
2. Mutual SSL Authentication: by using this technique client and server exchange and verify each other's public keys. Once the keys are verified, the client and server negotiate a shared secret, a message authentication code (MAC) and encryption algorithms;
3. HMAC: API Key will be separeted into an ID and a shared secret. Then, as before, the ID is passed with each HTTP request, but the shared secret is used to sign, validates and/or encrypt the information in transit. The client and server will exchange the shared secret with algorithm such as HMAC SHA-256;
4. Protecting code application: using code obfuscators will make harder to locate and extract sensitive data from app, such as secret shared, api keys, public keys...
5. Handle user credentials: providing a simple method to user login and prove your identity. After insert valid credentials, server can return a user token (JWT) and emulates a user session with this.

Let's look at flow:

• Part one: autheticating user and client;

  1. User will type your credentials and be asked to prove your identity using your e-mail or mobile number, after Client will send user credentials (such as { email, mobile_number, hash ( password ), verification_method }) to Authentication Server route /login;
  2. Authentication Server will validate user credentials and send a one-time password to user confirm your identity (for e-mail or mobile number as choose by user);
  3. Then, user will insert the OTP received and client will send back to Authentication Server route /login-otp including the verification method (such as { otp, verification_method });
  4. At the end, Authentication Server will return a { hash ( shared_secret ) } to be used soon.

• Part two: authorizing API access;

  1. When receive shared_secret Client will stores securely at mobile app, then it will ask for a authorization code using PKCE calling /auth with { response_type, client_id, scope, state, code_challenge, code_challenge_method }, Authorization Server will validate credentials and return an authorization code with no redirects;
  2. Later, Client will exchange received code to an access token accessing /token, but it will need to send some extra data: { payload: { grant_type, code, client_id, code_verifier }, timestamp, hash ( some_user_data + timestamp + shared_secret ) };
  3. Authorization Mediator will receive this request and validate trying to generate the same hash generated by user. And redirect all data to Authorization Server that will validate client_id, code and code_verifier responding with an access token;
  4. This new access_token will return to Authorization Mediator and, after, to client granting access to API resources.

• Part three: accessing resource server;

  1. Client will each time needs send a call to API /api containing the Authorization header and some extradata with { timestamp, hash ( some_user_data + timestamp + shared_secret ) };
  2. Authorization Mediator will validates the shared_secret hashes, call Resource Server validating access_token and return data.

• Part four: refreshing access token;

  1. After access token expires, Client will send a call to /refresh-token containing the Authorization header and some extradata with { payload: { grant_type, refresh_token, client_id, scope }, timestamp, hash ( some_user_data + timestamp + shared_secret ) };
  2. Authorization Mediator will validates the shared_secret hashes, call Authorization Server and return a new fresh token access.

A visual image for this flow:

I don't think it is a perfect strategy, but it replaces Resource Owner Password Credentials to Authentication Code with PKCE and gives some extra security techniques. It's way better then a single and simple authentication method, preserves the OAuth2 protocol and mantaein a lit bit more hard to compromise user data.

Some references and support:

How do popular apps authenticate user requests from their mobile app to their server?

Why does your mobile app need an API key?

Mobile API Security Techniques

Secure Yet Simple Authentication System for Mobile Applications: Shared Secret Based Hash Authentication