Details

    • Type: Sub-Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Completed
    • Affects Version/s: None
    • Fix Version/s: 1.0-portal_7.1.0
    • Component/s: None
    • Labels:

      Description

      Same as with the implicit grant vulnerability for Implicit Flow. However in this instance it is the Authorization Code which is leaked instead of Access Token.

       

      Mitigation @ OAuth2 provider:

      • In cases where the app is stateful (cookies, HTTP session etc.), the redirect_uri can point to a headless resource that is dedicated to exchanging authorization codes for access tokens. This drastically reduces the chances of XSS vulnerability at that URL
      • Recommend to the application admin that they use a dedicated resource as above
      • Implement PKCE which expects a valid code_challenge for the token exchange
        • Implement [REQ013 Support for Native Apps - [RFC 7636] Proof Key for Code Exchange by OAuth Public Clients (PKCE)|https://docs.google.com/document/d/1BYd_nCWRUOB5JW-YzlPtCKNXBq85drAWftZv-BNrfxg/edit#heading=h.9n0vdo1bmc2x]
        • For this to be effective for SPA clients …
          • the PKCE code_verifier cannot be readable by JavaScript. Consider providing option to store it into a “HTTP only” cookie.
          • Similarly the Access Token must be protected from JavaScript too

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  1.0-portal_7.1.0