search

jaredhanson / passport-oauth1

OAuth 1.0 authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-oauth1/?utm_source=github&utm_medium=referral&utm_campaign=passport-oauth1&utm_content=about
MIT License
24 stars 31 forks source link

How secret is the oauthTokenSecret? #16

Open ForbesLindesay opened 6 years ago

ForbesLindesay commented 6 years ago

Judging by the name oauthTokenSecret probably shouldn't be shared with the user? Since many people store session data in a cookie, this seems at odds with the default implementation of oauth1. I may be missing something though?

jaredhanson commented 6 years ago

It is a secret that should only be known by the client/application to which the token was issued.

this seems at odds with the default implementation of oauth1

I'm not sure what you mean by "default implementation", and what is at odds. If the client is storing secrets in a way that users can access them, then yes that is at odds. Hopefully it is not the default implementation.

ForbesLindesay commented 6 years ago

One of the most popular session implementations for express is cookie-session. It stores the session in plain text in a cookie (JSON encoded). By default passport-oauth1 stores the oauth_token_secret in the session.

jaredhanson commented 6 years ago

Those sessions either have all data in a backend data store or are encrypted with a key only the backend knows. In both cases the secret is only accessible to the backend (which is the oauth client), so there's no issue with such implementation.

Sent from my iPhone

On Dec 8, 2017, at 5:58 AM, Forbes Lindesay notifications@github.com wrote:

One of the most popular session implementations for express is cookie-session. It stores the session in plain text in a cookie (JSON encoded). By default passport-oauth1 stores the oauth_token_secret in the session.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

ForbesLindesay commented 6 years ago

https://www.npmjs.com/package/cookie-session Signs the session data with a secret key, but it does not encrypt the data. A user can still read the contents of the session as plain text.

jaredhanson commented 6 years ago

The token secret that is stored in the session is associated with the request token (aka temporary credentials). This request token is a one-time use token and secret exchanged for the final access token. In this sense, it serves a similar purpose to the authorization code in OAuth 2.0, and there's little risk associated with storing it in signed-only cookie. The protocol has other means to authenticate use of the temporary credentials (such as client secrets).

The token secret associated with the access token is handed off to the application by passport-oauth1, and is not stored in the session. I would not advice putting this token or secret in a session whose contents are visible to the user. If client-side cookie storage is needed, I would advise client-sessions, which encrypts the data.