Home > OS >  Is Oauth2 authorization code should bound with the Resouce Owner?
Is Oauth2 authorization code should bound with the Resouce Owner?

Time:01-19

Does authorization code should be somehow linked with Resource owner? I have faced with one specific case.

Testing case: 2 users(Resource Owners: Bob & John). Bob click "login with EXAMPLE" and input the credentials for EXAMPLE social network. The responce from the server contains code equal qwerty123. John does the same as Bob and use Bobs` code(qwerty123) and as the result John obtains Access token intended for Bob.

I remember in RFC6749 it is specified that the auth code to be bound with any client_id, not a user. Is it a security weakness?

CodePudding user response:

Stealing authorization codes is a potential security weakness. In the case of a public client, the code can be exchanged directly for an access token. The use of PKCE (as defined in RFC7637) is recommended to protect against this. This will be a requirement for all clients in OAuth 2.1.

If the client isn't a "public" client, then it still needs to authenticate to the token endpoint in order to exchange the code for an access token, so an attacker would not be able to obtain an access token with just the stolen authorization code.

  • Related