bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 951 forks source link

Securing JS WebApp client secret w/ password grant type #257

Open bensquire opened 11 years ago

bensquire commented 11 years ago

I'm building an angular webapp, which will communicate with an API and oAuth2 authentication service. The webapps source code is viewable, so I don't want to store the client_secret in the code, this site:

http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified#password

suggests I should be able to send a request (in theory) using the granttype "password", but without the client secret, therefore protecting it from sniffing. However the library insists the client_secret is required.

If the above article is wrong what methods do you recommend for authenticating a pure JS app against the api, without using a server?

Thanks in advance! Ben

P.S. The documentation has come on leaps and bounds recently :) thanks!

bshaffer commented 11 years ago

Ben, Thank you for the kind words!

This is a great question, and one that I've been considering, as i've seen instances of password grant being used in this manner.

If you see the spec docs here, they mention:

The authorization server MUST:

o require client authentication for confidential clients or for any client that was issued client credentials (or with other authentication requirements),

So in other words, only if the client is not considered confidential can we allow the granting of a token without a client_secret parameter provided. A non-confidential, or public client is defined as follows:

public Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the resource owner, such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

In other words, a client executing on a device like in your example.

This library does not currenly support any logic for differenciating between confidential and public clients. This is obviously a problem in this case. The easiest way to add support for this in the library is to allow no client_secret to be provided for clients to whom no client_secret exists, as the spec states a public client must not be given a client secret. So this is a necessary (but perhaps not sufficient) condition for public clients. If further support is added to the library later, it will not conflict with this logic.

Do you have any interest in submitting a pull request for this change?

bensquire commented 11 years ago

Thanks for the feedback Brent! I can see that you call the PDO check on checkClientCredentials from HttpBasic. I could probably get something working, but I'm a bit hesitant to start changing the library, can you provide any guidance?

Cheers Ben