I'm implementing an OAuth secured API, and I assign each client a consumer key and secret. I don't want to assign a separate API key for clients and me to have to keep track of. I'm thinking that authentication happens like this: they generate their payload and sign it with their key and secret, and transmit the key.
On the server, I store the client secret, keyed by their key. When I receive the payload, I use their key to look up the secret, then I decode the payload with that secret. So the secret is not transmitted, but the key is.
So my question is: is this a safe way to handle this situation, or am I missing something important here?
If you are talking about how a client authenticates to the authorization server, OAuth 2.0 requires that the endpoint is secured with TLS, so recommends just using Basic authentication.
Related
I have been trying to understand how OAuth2 works. At first I thought it was redundant to spend one extra step exchanging auth code + client secret for access token - why not have server return access token directly. For that I found this explanation.
Then what confuses me is, why does it need a clientId and a client secret, instead of just a secret? A secret which can both declare and prove itself. The client app then can simply pass it to server when it sends user there to authorize itself for accessing server resource.
Thanks!
Imagine the client signs the request with the secret and sends just the signature. How does the server know which secret to use? Presumably the server supports multiple consumers.
The client id is sent in the first part of the token dance to identify the client. This id is sent in an insecure way, in the URL. Even on the authz server end of this request the id may be exposed in an insecure way where the authz server redirects the user agent to the authorization page. So the client id is not meant to be secure, just to identify the client.
Only after receiving the authorization code (after user authorization), does the client then need to obtain the access token in a more secured way. This is where the client secret is used over TLS.
You can have the server return the access token directly. You need to request Implicit grant (response_type with the value token instead of code).
The authorization server returns the access token directly.
This type of grant is intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret or client id because all of the application code and storage is easily accessible. If your client can keep a secret, it is recommended that you use a more secure grant type.
I'm trying to understand what each string in the Oauth 1 scheme does.
As per my understanding, the consumer key and consumer secret are used to sign a request to the api, from the calling application, and the access_token and access_secret pair are used as a proxy for the user's login credentials.
Am I right in my understanding?
Not quite. The consumer key is a value that identifies the client application that is being used to access the user resources, and the access token is the value that provides the authorization to access those resources.
A combination of the consumer secret and token secret are used to sign the request which provides verification that the request is being sent by an authorized party.
You can read more about the definitions of the oauth 1.0a spec here.
My understanding of the 'key' (or 'token') in OAUTH system is like a 'username' to identify the sender which is not confidential but 'secret' is actually like a 'password'.
But reading through the OAUTH 1.0 spec on http://oauth.net/core/1.0/#signing_process, it seems to me when consumer asks service provider for a token (either request token or access token) , the token and token secret are returned in PLAIN (just base-64 encoded) text as HTTP response.
And after searching web it looks in lots of not all case, the "request token URL" is HTTP not HTTPS which means a 3rd party may intercept the token and token secret.
So am I wrong thus far? I know even a 3rd party intercepted the token secret it's still useless as any request by consumer (or any party claim as the consumer) must be signatured with consumer key (plus token secrect) which the 3rd party usually don't know, but then why we need the token secret then?
Although it is permitted to use http, it is recommended (see appendix B.1) to use secure transport (https), otherwise your concerns are quite valid. I know for sure Google allows https:// on all their OAuth transactions, at least as far as getting the token and secret, and for all the API data requests that I've tried so far.
I'm trying to use two legged oauth to allow a mobile client to log into an api I've created, however I can't quite grok the proper workflow for this and all the tutorials seem to say something different.
From what I've read in the two legged version the oauth consumer key and consumer secret are specifically assigned to a user, and the tokens aren't used. So when a user logs in they (or their device) would have to present their consumer key and secret and we can use that to verify their identity. But then what? Does the client device receive some token that they use to access the API, or do they send the consumer information with every request?
And the user can only be expected to remember a username and password, how do we get from username and password on the client device to a consumer key and secret to send to the server?
You shouldn't have a consumer key/secret pair for each client device. The OAuth notion of "consumer" is a particular site or developer using the API to authenticate to you. Who is creating the username/password pairs? Are these specifically your user accounts, or are you looking for users to be able to log into you with Yahoo, Google, etc. accounts?
At any rate, I would expect the users to have a username and password, not a consumer key and consumer secret.
2-legged OAuth removes a separate authN/authZ server that talks directly to the client that is otherwise present in 3-legged OAuth. It certainly does involve (access) tokens. The client device would receive a token and could use that until it expires.
The advantage of this setup is that you do not need to worry about the security of the client_id/secret on every API call. Sending client_id/secret on every call is basic authentication, and it is not recommended. Instead, by using OAuth, you only need to worry about the security of client_id/secret on the API call used to get the token (e.g., once for the life of each token). And if a token is compromised, it has a TTL, whereas client_id/secret do not.
The client_id/secret are not known to the end-user who provides their own user credentials. The client app is expected to handle the negotiation of client_id/secret for token.
Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.
So why does the specification require two values in the first place?
Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure
There are 2 secrets, one is token secret and other is consumer secret. Secrets are used to sign the requests (to generate the oauth signature) but not transmitted in the request header where token is sent in the header to identify the client and verify if it has access.