Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Protecting Image resources with OAuth2 Bearer Tokens

Tags:

I've created a number of Web Services that produce/consume JSON data and I've protected them using OAuth2 and Bearer Tokens, which works fine.

Now however I need to build a similar Web Service that produces images rather than JSON (so JPEG/PNG data). For consistency I would also like to protect the service with OAuth2/Bearer Tokens, but doing so would make the service more challenging to consume in browser based applications that wish to display the image data using the <img> tag, because the <img> tag will not send the necessary Authorization: Bearer ...bearer-token... HTTP header.

I can see two ways round this:

  1. Browser based clients of the Service would use XHR Level2 and the Blob and Blob URL schemes from HTML5 to retrieve the image data as a Blob, use the Blob URL scheme to generate a URL for the Blob and then dynamically create an img tag that refers to the Blob URl. A lot of work just to display an image!

  2. Modify the OAuth2 infrastructure to generate a Http cookie in addition to the Bearer Token. Modify the service Authorirzation to accept EITHER the Authorization: Bearer ... OAuth2 header OR the cookie as proof of identity. Cookie to have same lifetime as bearer token, httpOnly etc. Browser based clients can just rely on browser cookie support to get access to service, can deference image data via <img> tag as normal. Easy to use for browser clients, but non-standard. Security risk profile seems the same for either bearer token or cookie.

Am I overlooking any security issues with the latter approach?

Are there any alternative approaches for protecting image/media resources with OAuth2?

like image 242
cdivilly Avatar asked Dec 05 '12 14:12

cdivilly

1 Answers

I assume you are using the user-agent-based application profile in terms of getting a bearer token into the browser base app.

The OAuth Bearer Token spec supports sending the token as a query parameter ?access_token=mF_9.B5f-4.1JqM. The javascript in your browser could add the token as a query parameter to your img links.

This would be more standards based, but then you would have to worry about the access_token value leaking out in logs, etc. I think the security trade offs would really depend on the scope of those bearer tokens, and how important these images are to protect.

I think opening up your OAuth infrastructure to accept cookies could open you up to new attack vectors. RFC 6750 specifically calls out the risk of CSRF attacks 

 Implementations that do store bearer tokens in cookies MUST take precautions  against cross-site request forgery.
like image 143
Patrick Avatar answered Sep 24 '22 18:09

Patrick
Sign in to Comment

Related questions

Android WebView: display only some part of website
What does "Safari (in-app) in Google Analytics refer to?"
Automatically open the Safari Debugger when the iPhone Simulator is launched
When is Double's == operator invoked?
How to get difference between two DataTables
Convert a makefile to a VS project
How do I create a constraints based view that resizes between iPhone 5 and iPhone 4 comparable to Anchor operation?
DT[!(x == .)] and DT[x != .] treat NA in x inconsistently
Could cabal warn about unused package in dependencies?
Any way of detecting whether a browsers console is able to render colors?
(WiX) Program files shortcut for per-machine install
Message sent to a deallocated instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!