search

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php
http://bshaffer.github.io/oauth2-server-php-docs
MIT License
3.26k stars 950 forks source link

Server to Server :. client_secret and user password transmission for password grant type #518

Open metasection opened 9 years ago

metasection commented 9 years ago

Looking for some guidance on protecting the credentials in our server-to-server (2-legged) implementation.

We are currently posting the following to our Super-awesome OAuth2 Server (thanks to bshaffer) in order to get an access_token. (note: server using SSL).

curl -v "https://test.com/oauth2/token" \
-d "grant_type=password&client_id=abcdef&client_secret=123456&username=me&password=super"

We need to be absolutely sure that no-one can "capture and replay" this POST and get an access_token.

Seems to me that we should be implementing client certificates to complement the OAuth2 implementation. Something similar to the process described in Using SSL Client Certificates with PHP.

Is this the correct approach? Should we be developing this solution or is there something built into the OAuth2 server?

dashohoxha commented 9 years ago

If https://test.com/ already has a SSL certificate, I think that this is already safe, nothing extra to be implemented. But I am not an expert.

dashohoxha commented 9 years ago

SSL Client Certificates that you refer above, can be useful only for an intranet, when you know who are the users and you can issue a certificate for each of them (to be used by the application instead of the username/password). My opinion is that they are not useful for the Internet (where anybody can register and login to your app).