search

oauth-wg / oauth-v2-1

OAuth 2.1 is a consolidation of the core OAuth 2.0 specs
https://oauth.net/2.1/
Other
52 stars 27 forks source link

Problems with authorization servers that don't support public clients #161

Open hickford opened 1 year ago

hickford commented 1 year ago

https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-09.html

Authorization servers MUST record the client type in the client registration details in order to identify and process requests accordingly

Unfortunately many authorization servers don't record client type. Some authorization servers explicitly say that they don't support public clients. Is this okay? Banning public clients tempts app developers to bend the rules and register a public client as a confidential client, compromising security.

SourceHut bans public clients https://man.sr.ht/meta.sr.ht/oauth.md

Only confidential clients are supported; public clients are not allowed

Azure DevOps bans public clients https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/azure-devops-oauth?view=azure-devops

Can I use OAuth with my mobile phone app? No. Azure DevOps Services only supports the web server flow... as [public clients] can't securely store the app secret.

GitHub doesn't record client type but seems to deduce it based on redirect URI https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app

hickford commented 1 year ago

Mailing list discussion https://mailarchive.ietf.org/arch/msg/oauth/iJ6WAbJzHWiGmaFO-qAzg30B_28/

Such servers typically assume all clients to be confidential, neglecting security measures appropriate for public clients.

aaronpk commented 6 months ago

I don't think there is any requirement in the spec that an AS has to support both types of clients, did you see any language to the contrary?

aaronpk commented 1 day ago

Add an explicit mention in https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-2.1 that an AS doesn't have to support public clients.