Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-36

REQ023 Use QR codes, email links or other out-of-bound channel to exchange authorized tokens

    Details

    • Type: Story
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      Depends On:

       

      It turns out to be security risk to exchange tokens using email links or QR codes. E-mails and smartphone camera can be accessed by other native applications that can steal the content. There are similar threats as described in [RFC draft] OAuth 2.0 for Native Apps with the only standard solution now of using PKCE [RFC 7636].

       

      Because PKCE requires two-way communication between client and server but QR/emails is only one-way, it’s not possible to exchange security tokens this way.

       

      However, there is another option for use of QR codes / email links to ease native clients integration: REQ024 [RFC draft] OAuth 2.0 Device Flow. This flow enables limited devices to be authorized using a PIN.

       

      Prior starting the Device Flow, the client must be registered in portal and native application must obtain a random but public “client_id”. This “client_id” together with other metadata like authorization URLs and supported scopes can be provided as QR code or via email.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                tomas.polesovsky Tomáš Polešovský
                Participants of an Issue:
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Packages

                  Version Package