Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why should /oauth/authorize be secured?

Tags:

spring-boot

spring-security

spring-security-oauth2

According to http://projects.spring.io/spring-security-oauth/docs/oauth2.html:

N.B. the Authorization endpoint /oauth/authorize (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users.

Why is that? It doesn't sound right that an endpoint that will require an authorization grant to exchange for an authorization code should be secured. It's like a login page for a login page, specially when Authorization grant will be through resource owner password credentials.

like image 392
Adriano Avatar asked Jun 23 '15 01:06

Adriano

People also ask

Why is OAuth secure?

OAuth represents an advanced step in the use of credentials for authentication of API service users. In fact, studies reveal that it is the only security method with close to 100% dependability. Its unmatched reliability is based on its ability to create unique authentication tokens for every user.

Why is authorization code more secure?

The security of the Authorization Code flow relies on the fact that the client runs in a secure server-side environment. Such clients have access to secure storage areas, making it possible for them to handle the client credentials securely.

Should OAuth tokens be encrypted?

It does not usually make sense to encrypt access tokens, since doing so would not prevent an attacker from sending one to an API. The confidentiality of access tokens is instead ensured by returning them to clients in an opaque unreadable format, as described in the Phantom Token Pattern.

Is OAuth a security risk?

OAuth 2.0 is highly interesting for attackers because it is both extremely common and inherently prone to implementation mistakes. This can result in a number of vulnerabilities, allowing attackers to obtain sensitive user data and potentially bypass authentication completely.

1 Answers

oAuth2 authorization works in two steps:

  1. User authenticates using their credentials
  2. User grants application X the authority to use their data

Step 2 happens on /oauth/authorize and step 1 happens elsewhere in your application (most likely through a form-login backed by Spring Security).

If you don't protect /oauth/authorize you will end up granting authorization without authenticating the user (or you won't because without an authenticated session you probably have no idea who the user is).

like image 165
Raniz Avatar answered Jan 03 '23 01:01

Raniz
Sign in to Comment

Related questions

springSecurityService.principal returns Null when deployed as a WAR in tomcat 8.5
How I can implement a custom authentication?
Spring Security alters request URI
Spring cloud security vs Spring security
What's the preferred way to handle Spring Security for JMS Listeners?
Selenium testing : How to bypass okta in selenium
How can I use Spring Security with a cluster with session replication to fail-over an authenticated user?
Spring Security basic configuration
can I use Spring Social with Spring Security?
Spring Security - check if web url is secure / protected
How to use Single Sign On in a Vaadin application
Spring security csrf is null
Spring websocket with stomp security - every user can subscribe to any other users queue?
How to send received jsessionid via spring 4 resttemplate
How do I get a MultipartRequest out of a Servlet3SecurityContextHolderAwareRequestWrapper
Spring Security OAuth2 Redirect Loop
CSRF Token coming empty in login form using Spring MVC and Spring Security
Should I use both SocialAuthenticationFilter and ProviderSignInController together
spring security oauth2 disable jsessionid based session
Spring OAuth2 issues

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!