Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth2: query string vs. fragment

Tags:

query-string

oauth-2.0

fragment

Just noticed that in OAuth2 when the requested grant type is: "code" the callback contains it in the query string parameters (after '?'). However, when the grant is "token" it is passed as a fragment (after '#').

This looks to be part of a spec (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-4.2)

What could be a rationale behind such decision?

Thanks, Piotr

like image 948
Piotr Avatar asked Feb 05 '13 12:02

Piotr

People also ask

Which OAuth 2.0 Flow should I use?

For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens. To learn more about how this flow works and how to implement it, see Authorization Code Flow with Proof Key for Code Exchange (PKCE).

Is the OAuth 2.0 implicit flow dead?

Summary. The Implicit flow is deprecated for web applications because the Authorization Code flow with PKCE is cleaner to implement. Note that at the time of this writing, no new attacks have been discovered against the Implicit flow. It's just a relic from a different web, which we no longer need today.

What is Response_type in oauth2?

response_type=token - This tells the authorization server that the application is initiating the Implicit flow. Note the difference from the Authorization Code flow where this value is set to code .

What is wrong with implicit flow?

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

1 Answers

When your browser gets redirected by a website to a URL with a query parameter, the query string is also part of the request that your browser now sends to the host. Fragments are only evaluated locally by your web browser and not included into the request to the host.

In case of the Authorization Code Grant, where you typically have a web application, that directly talks to a provider, sending the data to the host is exactly what you need:

  • The web application redirects your browser to the provider where you log in.
  • The provider now tells your browser a callback URL of the web application and appends an authorization code. This code has to be sent to the web application, so it is included as a query parameter into the request to the callback URL.
  • The web application now itself talks to the provider in the background and verifies with the authorization code that he is indeed allowed to query the provider for an access token.

In case of the Implicit Grant, you typically have some Javascript application directly running in your browser. There's no need to pass any authorization code to the host and in most cases there's also no need to send the access token to the host, as the JS in the browser can directly talk to the provider. This way you could e.g. create a website on a server that uses information queried from another provider with consent from the user where the server never gets access to any confidential data of the user. (In case of a trusted website, that doesn't send the access token to the server.)

like image 67
Jan Gerlinger Avatar answered Oct 18 '22 09:10

Jan Gerlinger
Sign in to Comment

Related questions

Share credentials between native app and web site
Play Framework appending #_=_ to redirect after Facebook auth via OAuth2?
How to automate login to Google API to get OAuth 2.0 token to access known user account
Dealing with Oauth 2.0-facebook gem error 100: This authorization code has been used
Web API 2 OWIN Bearer token authentication - AccessTokenFormat null?
Restrict login to specific domain using Node Passport with Google Auth
Chrome identity launchWebAuthFlow only opens empty callback page
Attribute Error trying to run Gmail API quickstart in Python
Could not import 'oauth2_provider.ext.rest_framework.OAuth2Authentication' for API setting 'DEFAULT_AUTHENTICATION_CLASSES'
golang Facebook authentication using golang.org/x/oauth2
Apache strips down "Authorization" header
Google login uses same account everytime users login
Oauth 2.0 authorization for LinkedIn in Android
What is the best way to perform OAuth2 authentication using akka-http?
"Login Required" 401 Unauthorized message when calling the v3 Google Calendar API using a Service Account via OAuth 2.0
How to logout oauth2 client in Spring?
Creating an OAuth2.0 service provider using RESTify Node.js
Redirection to a mobile app from the webview of the app itself in React Native
Google Cloud Endpoints with another oAuth2 provider

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!