Mobile and desktop OAuth 2.0 security analysis and CodeVerifier mechanism

Little scum · Posted on 11/28/2020 8:51:48 PM

The desktop and mobile apps are embedded browsers in the app to assist in completing the entire OAuth 2.0 process

The process is shown in the figure

OAuth2.0 web
1) Return authCode to the specified Web redirectUri (this URI is configured by the app developer)
2) To change the token, you need to pass the clientId and clientSecret to verify the client identity (obtained by the application backend service)

Noting the above two points,
1) Because not the web app redirectUri detection is invalid
2) Because there is no backend service clientSecret is not secure
Then the attack we may encounter is as shown in the figure below, there may be a malicious application intercepting authCode to send a message to the AuthorizationServer to obtain the token, so that the token is obtained without the customer's authorization to the application but to another official application authorization, achieving the purpose of the attack.

Solution:

1. The client generates a random string: code verifier and saves this random string
code_challenge = transform(code_verifier, [Plain| S256])
If the transform method is plain, then code challenge is equivalent to code verifier
If the transform method is S256, then the code challenge is equal to the Sha256 hash of the code verifier
2. Bring a code challenge to the authorization code request and how to generate a code challenge. These two are bound to the authorization code issued by the server
3. After obtaining the authorization code, the client brings the initially generated code verifier when exchanging the authorization code for the Access Token. The server calculates the code verifier according to the bound transform method, compares the calculated result with the bound code challenge, and issues an Access Token if it is consistent.

Mobile and desktop OAuth 2.0 security analysis and CodeVerifier mechanism

Related Posts

Sections viewed