Menu
As soon as I log in successfully to the authentication server, the server redirects back to the application with an authorization code. And then this authorization code is used to get the access token in the backend. My doubt is if somebody has seen/captured or copied my authorization code before I have used it. Then he can also login with my credential. I want to know, Is it correct what I am thinking? Or I am missing some security flow in the process.
Edit: I am mostly concerned with the case where somebody has seen the authorization code in my browser history, and then he is sending this code from other machine to get access token. How can we prevent it.
746
You are correct: this is why in OAuth 2.0 there should be a fixed, registered callback URI that the Client receives the Authorization Code on, which is enforced by profiles such as OpenID Connect. The security considerations section of the specification analyzes the risks of the authorization code concept in more depth: https://www.rfc-editor.org/rfc/rfc6749#section-10.5
143
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
