Menu
In oauth you make a request using you client id/secret to get an authorization code. Then you make a second request to exchange the authorization code for access token. My question is:
Why is this two step process required instead of getting access token in the first place? How does it make the whole process more secure? Or is there another reason.
I'm talking about server side app (like php for example) requesting authorization from a remote server, not javascript.
643
Authorization code request does not contain the client secret. It only contain the client ID and redirect url, which enable authorization server to validate the request to originate from a known client.
The OAuth 2.0 authorization code grant type, or auth code flow, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application.
An authorization code is an alphanumeric password that authorizes its user to purchase, sell or transfer items, or to enter information into a security-protected space.
OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
The important role of the authorization code is to authenticate the client and access the token directly without passing it to the owner's user agent. The following diagram shows the process of authorization code. Step 1 − First, the user accesses the resources of the resource owner by using the client application.
- Auth0 What is OAuth 2.0? OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
To initiate an authorization code grant, the client will direct the user’s browser to the authorization server with a query parameter of response_type=code, along with the other required parameters. The authorization server must first verify that the client_id in the request corresponds to a valid application.
Clients will direct a user’s browser to the authorization server to begin the OAuth process. Clients may use either the authorization code grant type or the implicit grant. Along with the type of grant specified by the response_type parameter, the request will have a number of other parameters to indicate the specifics of the request.
It's possible to do it with a single request - it's called the implicit flow then. There is a single request with response_type set to token or id_token token.
The general idea of using access code (authorization flow) instead of directly returning the tokens is to hide them from the end user. The second request is done usually by the backend server instead of a browser.
You can find more details here: https://auth0.com/docs/api-auth/which-oauth-flow-to-use
Note: for complete answer read the comments.
65
In oauth you make a request using you client id/secret to get an authorization code.
Authorization code request does not contain the client secret. It only contain the client ID and redirect url, which enable authorization server to validate the request to originate from a known client.
What is this two step process required instead of getting access token in the first place? How does it make the whole process more secure? Or is there another reason.
If we forget about implicit flow, which involves retrieving access token from first call, I would say it is to improve security.
When authorization code flow is used, you use a user agent (browser) to initiate the flow. This means, the user agent will redirect end user to authorization server for authentication (username password obtaining and validating end user). If end user validation succeed, authorization server sends the authorization code. This is a temporary secret, which is bound to original authorization code request.
Now client use the authorization code and directly contact authorization server to obtain access (and other) tokens. This second step occur outside the user agent.
If the client is a confidential client, a client which has a client ID as well as a client secret, this second call will require to produce this client secret. So it internally contain a client validation process. From authorization server perspective, token request will be rejected if client authentication failed. This gives protection for authorization code stealing.
Also, with the second step, we avoid access token exposure to third party. For example, in implicit flow, access token is sent as URL fragments through user agent. If user agent is compromised (ex:- Manipulated by some malicious code) this access token can be extracted.
What about public clients ? That means clients which does not get a client secret due to their nature (ex:- Clients which cannot protect the secret by storing)
Public clients use PKCE. It is a must to use this to avoid authorization code stealing. So in the token request (second call), client will directly send code verifier. User agent cannot obtain code verifier in the first request since it was hashed (code challenge). So token request now contains a secret that only known by client and authorization server.
If you compare both scenarios (public and confidential clients), you can see how the second call adds an extra layer of security.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
