Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth2.0 Implicit Grant flow. Why use url hash fragments?

Tags:

oauth-2.0

Going through the new OAuth2.0 Specs ( rfc 6749 ), I see that Implicit Grant protocol workflow uses Url Hash Fragments to exchange the 'access_token' between the Authorisation server and the public client.

See Specs: https://www.rfc-editor.org/rfc/rfc6749#section-4.2

Cannot the Authorisation grant response be send as 'Query Params' instead of the Url fragment, keeping other parts of the flow as it is ?

Basically I cannot understand the limitation that made spec authors of OAuth2 chose url hash fragments for Implicit grant flow authorisation ?

like image 806
aknon Avatar asked May 24 '13 11:05

aknon

People also ask

Why you should stop using the OAuth implicit grant?

Sound rather drastic, what's the reason? Simply put, the implicit grant's security is broken beyond repair. It is vulnerable to access token leakage, meaning an attacker can exfiltrate valid access tokens and use it to his own benefit.

What is implicit grant in OAuth2?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don't have a way to safely store secrets) but is only recommended in specific situations.

What is wrong with implicit flow?

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

Is the OAuth 2.0 implicit flow dead?

Summary. The Implicit flow is deprecated for web applications because the Authorization Code flow with PKCE is cleaner to implement. Note that at the time of this writing, no new attacks have been discovered against the Implicit flow. It's just a relic from a different web, which we no longer need today.

1 Answers

the Implicit Grant flow is done for java script clients and I think they are using '#' instead of '?' to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason "not sharing your access token over network may be unsecured like one used for redirect URL"

like image 70
Bassem Reda Zohdy Avatar answered Sep 27 '22 20:09

Bassem Reda Zohdy
Sign in to Comment

Related questions

Oauth2 Implicit Flow with single-page-app refreshing access tokens
Should clients get OAuth 2 access tokens using GET or POST?
Official Spring security oauth2 example doesn't work because of cookies clashing(authorization code mechanism)
What is the simplest example of Spring OAuth2 with Java configuration? [closed]
Do OAuth2 access tokens for a mobile app have to expire?
Implementing OAuth 2.0 Authentication for My API
Android Retrofit2 Refresh Oauth 2 Token
Laravel get request headers
how to use github api token in python for requesting
How does CSRF work without state parameter in OAuth2.0?
Dealing with expired access tokens in OAuth2 implicit grant
Spring-security context setup for 2-legged (client credentials) OAuth2 server
OAuth2: What is the difference between the JWT Authorization Grant and Client Credentials Grant with JWT client authentication?
How should a client pass a facebook access token to the server?
OAuth 2 access_token vs OpenId Connect id_token
How to use OAuth2 in RestSharp
Automating access token refreshing via interceptors in axios
Possible to test Google social login locally?
Correct redirect URI for Google API and OAuth 2.0
Rails api and native mobile app authentication

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!