IdentityModel / AuthorizationServer

Sample implementation of an OAuth2 Authorization Server
Other
281 stars 136 forks source link

Client credentials flow and replay attack #217

Closed cotepatrice closed 10 years ago

cotepatrice commented 10 years ago

I implement a web API 2 service (OWIN host based). I started with the samples I get from the solution for the client credentials flow and resource server 2. Everything works just fine but I realized that if I have got the Authorization: Bearer header (from Fiddler), I can rerun the same request over and over again without problem. I understand it is by design since OAuth 2 protocol doesn't mess with authentication. And the principle is that we grant permission to the client app, once and for all, so there's no need for reauthentication. Plus, the service is encrypted over SSL.

But in the corporate world, where we want to allow call from one machine in DMZ to another inside the domain (the one's that host the web API), we want to limit the possible attack range. It might be more suitable to use another flow ? Or just change the token lifetime in Authorization Server ?

brockallen commented 10 years ago

I'm a little confused on what you're trying to achieve or protect -- you are looking for a way to prevent abuse of a token is stolen? Or you're looking for a way to throttle abusive clients?

cotepatrice commented 10 years ago

Stolen tokens mostly

brockallen commented 10 years ago

Yea, your best bet for that is to limit the token lifetime.

cotepatrice commented 10 years ago

Thanks ! That's what I did.