oauth – Is OAuth2.0 Authorization Code Grant flow with PKCE really secure?

CONTEXT

There is an SPA that uses Authorization Code Grant flow with PKCE to get info from an API all the info is highly sensitive

Here is what I found of how Authorization Code Grant flow with PKCE works:

v = code_verifier

$ = code_challenge

a = authorization_code

enter image description here

QUESTIONS

  • What will happen if someone authenticates using the SPA and get code_verifier (random string), code_challenge (hashed code verifier using SHA-256) and authorization code (or simply the token generated at the end of the grant flow) from the request by opening the web developer tools, Is he able to request the information in its own client using verifier, challenge and auth code to get the information?

REMEMBER:

  • The SPA can’t use backend so all request are exposed all the time

  • I can’t relay on SOP or CORS to block, you know that some clients like postman can overpass SOP and CORS

  • The info is very sensitive, so only authorized clients can get the info, for example: https://authorized-third-party.com must be able to get his info, but http://fake-third-party.com must not be able to get the info

Thanks in advance, OAuth confuse me a lot so please try to be gentle

oauth2 – How to mitigate malicious 3rd party app from generating unauthorized OAuth Request in Desktop App

I have a REST API that a Desktop Application needs to access. I am using an OpenID Connect auth code flow to accomplish this.

  1. The desktop app establishes an unauthenticated session with the REST
    API server. The REST API server then generates a state and nonce for
    building an Auth Code request URI, it then sends the Auth Code
    request URI and sessionID in the response to the desktop app.

  2. The Desktop app then opens the the URI in a web browser, and the
    user authenticates with the IDP.

  3. The auth code is returned to the app which it passes back to the
    REST API server using the sessionID that only the desktop app knows,
    and then the API server exchanges the auth code for an id_token and
    verifies that the exchanged token nonce matches the nonce it
    originally passed in the initial request ensuring that it belongs to
    the session.

  4. After confirming it then passes some credentials to the client.

This process prevents the code from being misused if it’s intercepted and it ensures that the token is only granted to a person who has knowledge of the sessionID (which is reasonably only the desktop app.)

While these protections prevent token exchange snooping. I do not see how to mitigate the threat of a malicious 3rd party app generating an unauthorized Auth Code request and manipulating valid auth sessions with the IDP to trick the user into using the malicious Auth Code request.

A malicious app could generate a legitimate Auth Code URI request and then inject it during the browser redirect to the IDP and an unsuspecting user would be none the wiser that they are now authorizing a different application.

Is it even possible to prevent this from happening outside of ensuring a malicious app isn’t on a device?

oauth – Use Managed Identity of Azure Function when calling another Azure Function

There’s a helpful Microsoft doc that describes how to configure security for a daemon client application. This works ok but it means the client app must present a client id and client secret to the /token endpoint of AAD in order to obtain the OAuth2 access token.

This makes no use of managed identity and means I need to ensure the security of the client secret of the daemon app. If the client id and secret of this app were to fall into the wrong hands, there’s nothing to prevent a bad actor obtaining an access token and calling the target service.

I realise that a certificate can be used instead of a client secret but my question is, can this be avoided through the use of the managed identity of the client daemon app?

oauth – Is it a good practice to store both the Google Oauth2 access token and the refresh token in the database un hashed?

I recently came across a source code where they save a user’s refresh token and the access token upon sign in through Google into the database. This is done to access the Google APIs later on through the server.

My question is, isn’t this insecure? This is like storing the passwords plaintext in the database. If the database gets hacked, then anyone can use those credentials to wreak havoc using the Google API. By the way, those users will have permission to add and edit users in a Google Workspace.

libraries – Multiple API connections over OAuth

Building an application that allows the User to access data from multiple accounts – GMail, Drive, Facebook, Twitter, Calendar, Outlook etc.

All these SDKs (APIs) use OAuth2 for authenticating the User and accessing their data. I understand the Auth Flow and I know that the refresh_token needs to be stored, and access_token fetched when required

Is there a library in python/javascript (Node.js) that does this? That has implemented a common function to add a Google, Facebook, Twitter etc account. Instead of using each SDK separately.

Note: I don’t need the accounts for login, I have checked libraries such as Grant which allow using these accounts for login and maintaining session.

ChaseApp is a good example that allows adding integrations with multiple accounts.

authorization – How to mitigate risk of spoofing / Impersonating in OAuth Device flow ( device code flow ) in Azure AD?

I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory

Application is using the below details in-app configuration

"ClientId": "242429ea-xxxx-4ddb-xxxx-xxxxxxxxxxxxx",
"Tenant": "67ss7s7s7s-4e27-beee-yyyyyyyyyyyy",
"Scope": "api://12121212-5600-xxxx-1111-123456789/IoTGateway",

Application receives a Token from AAD and which will be used by User for authenticating (OAuth Device flow in Azure AD, sometimes called device code flow)

Question

Currently, all the employees of the company registered in AD, and frustrated employees who copy the application configuration values can get access by SPOOFIING the application. This is a risk. How to mitigate this?

Note: Attacker can shut down this application and run his own spoofed application at the same port 5000.

enter image description here

Is it possible to create a security group and add only users who are supposed to have access to this application?

Example

AD All Users
User 1
User 2
User 3
AD Sec Group 1
User 1
User 2

So user 3 even after having the secret, he shall reject the request by AAD. Is it possible?

authorization – How to mitigate risk of spoofing in OAuth Device flow ( device code flow ) in Azure AD?

I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory

Application is using the below details in-app configuration

"ClientId": "242429ea-xxxx-4ddb-xxxx-xxxxxxxxxxxxx",
"Tenant": "67ss7s7s7s-4e27-beee-yyyyyyyyyyyy",
"Scope": "api://12121212-5600-xxxx-1111-123456789/IoTGateway",

Application receives a Token from AAD and which will be used by User for authenticating (OAuth Device flow in Azure AD, sometimes called device code flow)

Question

Currently, all the employees of the company registered in AD, and frustrated employees who copy the application configuration values can get access by SPOOFIING the application. This is a risk. How to mitigate this?

Note: Attacker can shut down this application and run his own spoofed application at the same port 5000.

enter image description here

Is it possible to create a security group and add only users who are supposed to have access to this application?

Example

AD All Users
User 1
User 2
User 3
AD Sec Group 1
User 1
User 2

So user 3 even after having the secret, he shall reject the request by AAD. Is it possible?

authorization – Is a consent screen in an OAuth 2.0 implementation optional

I’ve read through RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749

The only mention of consent is in this bit:

The authorization server MUST implement CSRF protection for its
authorization endpoint and ensure that a malicious client cannot
obtain authorization without the awareness and explicit consent of
the resource owner.

The above does not (to me anyway) translate to: “Hey show a consent screen with requested scopes before responding with an authorisation”.

I’ve seen so many OAuth 2.0 implementations however where a consent screen is shown.

Question 1: As per the title really – is it actually needed?

Question 2: Is there an RFC that specifies what such a consent screen (if you are to implement one) should look like, including any required messaging and response if the user declines?