peraxel
commented
7 years ago I totally agree. This is not ready for implementation..
Open apichick opened 8 years ago
peraxel
commented
7 years ago I totally agree. This is not ready for implementation..
This is the implicit grant flow:
1.- Authorization Request:
https://$org-$env.$api_domain/oauth/authorize?response_type=token&client_id=$consumerkey&redirect_uri=$callback&scope=READ&state=foobar
2.- The API Provider Login Page Redirection URI:
https://$org-$env.$api_domain/oauth/samplelogingpage?client_id={request.queryparam.client_id}&response_type={request.queryparam.response_type}&scope={request.queryparam.scope}
3.- On successful authentication, login application invokes this url and it returns the AccessToken to the App
https://$org-$env.$api_domain/oauth/token?client_id=$consumerkey&response_type=code&app_enduser={userId}
In my opinion this is insecure, anybody knowing the app_enduser and the client_id could call the token endpoint and get a bearer token, without the user having authenticated at all in the login page, because the token endpoint is not protected at all.
Imagine the scenario where we would be saving that app_enduser as custom attribute linked to the bearer token and then we have some other endpoint where we verify the access token and fetch that app_enduser from the token and pass it over to a target endpoint. Any malicious user could be actually impersonating the actual app end user.