-
Type:
Story
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
Depends On:
It turns out to be security risk to exchange tokens using email links or QR codes. E-mails and smartphone camera can be accessed by other native applications that can steal the content. There are similar threats as described in [RFC draft] OAuth 2.0 for Native Apps with the only standard solution now of using PKCE [RFC 7636].
Because PKCE requires two-way communication between client and server but QR/emails is only one-way, it’s not possible to exchange security tokens this way.
However, there is another option for use of QR codes / email links to ease native clients integration: REQ024 [RFC draft] OAuth 2.0 Device Flow. This flow enables limited devices to be authorized using a PIN.
Prior starting the Device Flow, the client must be registered in portal and native application must obtain a random but public “client_id”. This “client_id” together with other metadata like authorization URLs and supported scopes can be provided as QR code or via email.
1.
|
REQ023.UC001 Portal provides OAuth2 client description via QR code | OAUTH2-90 |
|
Open | Unassigned | |
2.
|
REQ023.UC002 Portal provides OAuth2 client description via email | OAUTH2-91 |
|
Open | Unassigned |