Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why isn't it possible to steal an access token?

I'm learning OAuth and I have a question in head I can't find an anwser..

I understood request token to authorize or not an application to use the API. But once the user got an access token, what happens if someone steal his access token?

Imagine that we have something like http://www.example.com/api/article/1?access_token=******access_token******

If I give this url to another user, the other would have my access and so the API isn't protected anymore?

like image 732
Julien Avatar asked Jul 08 '11 08:07

Julien


People also ask

Can an access token be stolen?

OAuth tokens are one of the go-to elements that IT vendors use to automate cloud services like code repositories and devops pipelines. While these tokens are useful for enabling key IT services, they're also vulnerable to theft.

Can access token be hacked?

Stealing OAuth Token via redirect_uriBy stealing a valid code or token, the attacker may be able to access the victim's data. Ultimately, this can completely compromise their account - the attacker could potentially log in as the victim user on any client application that is registered with this OAuth service.

What is token stealing?

This is a new technique that hackers have been reported to be using for lateral movement once they get into a network. It is highly effective and has been used in almost all the famous attacks that have been reported since 2014.


1 Answers

Short answer: Yes, for OAuth2 - whoever has a valid access_token would have access to resources designated by that token. For how long depends on OAuth2 the implementation of provider.

Long answer, about both OAuth1 and 2:

When it comes to OAuth 1 an access token is not enough. You would also need the access token secret and also consumer key and secret. It is still good to keep the access tokens confidential, and to limit their scope and time of validity but you cannot use the access token without client and token secrets. OAuth 1 doesn't require that you use SSL, because cryptography is built right into the specification.

OAuth 2 is different - it is arguably more important that access tokens are kept confidential. Therefore the API provider should ensure that access tokens, which in OAuth2 are also known as Bearer tokens, are valid only for as short time as possible. These tokens work like passwords, and if intercepted can be used immediately by an attacker. Therefore the OAuth2 (with bearer token) specification requires that all communication takes place over SSL - since no cryptography is built into the specification. Typically access tokens have a short validity, which can be refreshed with a "refresh token" which has longer validity but is only transfered when the initial bearer token is received by the consumer, and when a bearer token is refreshed.

like image 88
Jon Nylander Avatar answered Oct 23 '22 10:10

Jon Nylander