Between the Authorization Request (3.1.2.1) and the Authentication Response (3.1.2.5) the authorization server is responsible for validating the request, authenticating the user, and get user-consent before sending the response.
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
How is that supposed to work in a SPA application?
If I issue an ajax request the authorization server can't authenticate the user (I don't see how since there's no cookie, http-header or url fragment telling the Authorization Server who the user is). If I redirect the user to the authentication endpoint my SPA is unloaded. Since I don't have a server redirect_uri (which I've understood is the whole point of the implicit flow?) the endpoint can never reach my SPA again.
Obviously I'm missing something. How is the authentication and user-authorization chrome supposed to be shown to the user in the implicit flow?
OAuth 2.0/OpenID Connect separate the authentication from the application. You would redirect unauthenticated clients/users away from your application before anything is loaded and only handle the authorization response in the SPA. Your redirect URI would point to the SPA. In any case, you would not handle the OAuth 2.0/OpenID Connect dance in Ajax but in a full browser.
Related
How does the redirect in OAuth with IdentityServer4 work in detail? Calls the identity server the redirect URL directly (in case of loopback likely not possible) or does the browser get a response from Identity server with the redirect as parameter and the Browser does the redirect?
Is there a known issue that the response of the identity server can be changed to redirect to an other site? So can steal the authentication code.
IdentityServer4 redirects in the browser.
Yes, there is a known issue that response of identity server can be changed to redirect to an other site. There are also ways to mitigate those risks. You can use PKCE and nonce.
https://auth0.com/docs/flows/concepts/auth-code-pkce
https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce
Rather than redirecting to another to a malicious endpoint (which will expose authorization code), higher probability is to have a Cross-site request forgery (CSRF) attack. For this OAuth 2.0 spec provide you with state parameter (more on this).
Regarding possibility of redirecting to a malicious endpoint, for this to be done,
Your original request must contain redirect url of malicious endpoit
Identity server must validate this url and then decide to perform the redirect
The second point is difficult to exploit (but possible). Because from OAuth 2.0 definition you register redirect URL when you register your client
The authorization server redirects the user-agent to the
client's redirection endpoint previously established with the
authorization server during the client registration process or when
making the authorization request.
So this means your identity server has been breached OR your registration was exploited. And you will have to worry about user being redirected to a malicious website, which could extract other important details rather than exposing authorization code.
This is emphasised in specification under Authorization Code Redirection URI Manipulation
An attacker can create an account at a legitimate client and initiate
the authorization flow. When the attacker's user-agent is sent to
the authorization server to grant access, the attacker grabs the
authorization URI provided by the legitimate client and replaces the
client's redirection URI with a URI under the control of the
attacker. The attacker then tricks the victim into following the
manipulated link to authorize access to the legitimate client.
I am building an Angular SPA app and using Okta as an Idp. since its an SPA so I think I need to use Implicit flow. I have two queries here-
Since in Implicit flow a refresh token is not issued, does it means that th user will be logged out of the app after the token expires and he has to log in again?
Why do I need to use Implicit flow in case of SPA? why not Authorization code flow? since I have control over both the front end (SPA) and back end (REST API) . for example in case of Spring MVC architecture for the web app Authorization code flow is possible.
Thanks,
pchh
Yes, if the token expired, you have to re-autenticate. Normally you still have a valid session on the identity providers site, so you can do a "silent" login using an iframe. Libraries like oidc-client support a silent login, which can do this for you.
You need to use implicit (or hybrid) flow, when you need to access to the access token from your javascript app. With authorization code flow your javascript app doesn't get the access token, so if your API needs an access token for authorization, what are you going to send?
If your auth server supports OpenID Connect (OAuth2 extension) and single sign-on (SSO) feature, to get a new token before the old gets expired, use an iframe with a URL you used for authentication, but add prompt=none parameter (and possibly id_token_hint parameter). See OpenId Connect RFC. The prompt=none parameter tells the /auth endpoint to issue a new token(s) if the user has an open SSO session at your OAuth2 server. If not, the request will fail. There is a separate RFC for session management.
The Authorization code flow requires you to access the /token endpoint, which usually requires authentication (client ID + client secret) and you cannot keep the secret safe in a browser. For this reason, the token endpoint doesn't use to support CORS headers, so you cannot access it using XHR. Using the Auth code flow, you get a code as a redirect URL param (?code=), which gets to the server hosting your SPA (browser sends it there after redirect). The implicit flow returns tokens in hash part of the redirect URL (#access_token=), which stays in a browser (it's not sent to the server), so it's safer.
On all OAuth2 documentations i looked, including the Oauth2 spec, the Oauth2 Authorization Code flow ends in the point where the server side holds both the refresh and access tokens.
As a server-side of a web app, what I wish is to not finish the flow here, but response my web user agent with the access\refresh tokens
This in order to have my user agent later make calls to my app's server-side APIs using the access token for auth (the app's server-side will verify the token against the authorization server).
The implicit flow might be the flow i should have been using here (right?), but the authorization server in my company supports only the authorization code flow (and not the implicit flow) for now.
I thought of adding a redirect url as a query param inside of the redirect url of the authorization API.
This way, when the authorization flow will ends, and my app's server side will get the tokens, it will redirect back to the User agent's url, providing the access\refresh tokens as hash fragments
Is it safe for the server-side to redirect to user agent with the tokens this way?
Is there any better practice for redirect back to the user agent?
Here is my plan (authorization code flow) of implementing such login/register logic. (The third-party only provided the OAuth2 API)
First the SPA frontend will send a GET request to the third-party
GET https://www.example.com/oauth2
client_id=dummyclient
redirect_uri=https://mysite/callback
response_type=code
scope=openid
Then if the user agree to give his/her openid to mysite then the fronend will get a 301 HTTP response.
---> 301 https://mysite/callback?code=dummycode
Then the browser will redirect the page to mysite/callback and it will reload SPA and expose the code in URL which can be captured by the SPA then it will send the code to the real backend callback.
GET https://mysite/api/real-callback?code=dummycode
When the backend get the code, it will send the code to the third-party to exchange an access_token. When the backend get the access_token, it will fire an API request to get the user's openid then decide whether to let the user login or register as a new user. At last it will give back a HTTP response to our SPA frontend which contains the access_token in my OAuth2 system or a 401 unauthorized response.
So my question is how to prove that the real callback is invoked by my own clients (Because if some attacker get my frontend embedded client_id then he can fake the OAuth2 request and phishing the user to agree. After that the attacker will get a valid code then he send back the code to my real callback. Finally, he will get the user's access_token in my system.) How can I use OAuth2 to do authentication without the end user's providing additional information like password.
I would suggest you to change the OAuth2 flow to Implicit and ask for both access_token and id_token (OpenID Connect). Your SPA will get the tokens, send the ID token to your backend, which can use it to decide whether it's possible to create such user. The SPA can use the access token to call protected resources.
This way,
only the SPA will be an OAuth2 client - tokens will not be used by two applications (SPA and backend),
you will have just one redirect URI,
you will not need to transfer tokens from the backend to the SPA.
Update: Without OpenID Connect
If you cannot use the id_token, you could send the access_token to your backend and the backend can get the user's username by sending to token to the Introspection endpoint https://www.rfc-editor.org/rfc/rfc7662 (from the response username attribute). The username attribute is optional. Your OAuth2 server may return even more info (such as name and email).
This Introspection endpoint requires authentication, so to use it, your backend will have to be a registered OAuth2 client with its own client_id and a secret.
In the Google developer console, when you create new app credentials for use in OAuth 2.0, and you specify a web app, it requests that you register callback URI and JavaScript origins.
I don't have a precise understanding of the need to register these.
For the callback URI, presumably this prevents a 3rd party who presents a malicious page to a user from getting the authorization code. However, the client id and secret are still hidden in the app server, so isn't the malicious application unable to do anything anyway?
Furthermore, if the callback URI is already registered, what does registering the JS origins separately accomplish. Unlike the callback URI registration, this is not mentioned by the OAuth 2.0 spec, it's something Google chose to implement.
Thank you for your help!
When you request a token, that token will be passed to the callback URL. By only permitting callback URLs that you have configured in the API console, you are preventing malicious users from spoofing the request and having the token sent to a third party. I suspect the aspect of OAuth that you've missed is that the callback is sent via a browser redirect, so is easy to fake.
Callback URLs are part of the OAuth server flow.
JS Origins come into play when you are using the client (Javascript) OAuth flow. They ensure that any OAuth request has come from a page that originated on your site.
The server flow is ...
OK I think I understand a bit more from reading the spec. https://www.rfc-editor.org/rfc/rfc6749#section-10.6
It is to prevent an attack by a user of the same client An attacker can create an account at the same client and initiate auth flow, but he replaces the redirect URI with his own URI.
He then tricks a victim into following the link to authorize the same legit client they are using. However, the auth code is now sent to the attacker URI.
The attacker then completes the flow by providing the auth code back to the client, which the client uses to complete the flow obtaining the token. However, this token may be associated by the client with the attacker, allowing him to impersonate the victim.