Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth2.0 Implicit Grant flow. Why use url hash fragments?

Tags:

oauth-2.0

Going through the new OAuth2.0 Specs ( rfc 6749 ), I see that Implicit Grant protocol workflow uses Url Hash Fragments to exchange the 'access_token' between the Authorisation server and the public client.

See Specs: https://www.rfc-editor.org/rfc/rfc6749#section-4.2

Cannot the Authorisation grant response be send as 'Query Params' instead of the Url fragment, keeping other parts of the flow as it is ?

Basically I cannot understand the limitation that made spec authors of OAuth2 chose url hash fragments for Implicit grant flow authorisation ?

like image 806
aknon Avatar asked May 24 '13 11:05

aknon


People also ask

Why you should stop using the OAuth implicit grant?

Sound rather drastic, what's the reason? Simply put, the implicit grant's security is broken beyond repair. It is vulnerable to access token leakage, meaning an attacker can exfiltrate valid access tokens and use it to his own benefit.

What is implicit grant in OAuth2?

The Implicit Grant Type is a way for a single-page JavaScript app to get an access token without an intermediate code exchange step. It was originally created for use by JavaScript apps (which don't have a way to safely store secrets) but is only recommended in specific situations.

What is wrong with implicit flow?

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

Is the OAuth 2.0 implicit flow dead?

Summary. The Implicit flow is deprecated for web applications because the Authorization Code flow with PKCE is cleaner to implement. Note that at the time of this writing, no new attacks have been discovered against the Implicit flow. It's just a relic from a different web, which we no longer need today.


1 Answers

the Implicit Grant flow is done for java script clients and I think they are using '#' instead of '?' to not send the access token to server side of your redirect URL but it is still reach to javascript which is the client in our case may be for security reason "not sharing your access token over network may be unsecured like one used for redirect URL"

like image 70
Bassem Reda Zohdy Avatar answered Sep 27 '22 20:09

Bassem Reda Zohdy