tl;dr: Don't accept access tokens in your redirect URI (don't ... • Aaron Parecki

51°F

Aaron Parecki https://aaronparecki.com/ • Oct 26
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts

tl;dr: Don't accept access tokens in your redirect URI (don't use the implicit flow)

PKCE solves this attack and is enforced by the server rather than relying on client developers to "verify the access token" as described in the post

Portland, Oregon, USA • 42°F

Thu, Oct 26, 2023 8:51am -07:00 #oauth

4 likes 2 reposts 1 reply
Have you written a response to this? Let me know the URL:
- Aaron Ogle :linux: :manjaro: fosstodon.org/users/geekgonecrazy
  
  @aaronpk is pkce used very often? When I was initially implementing pkce in a few cli tools I didn’t see a lot of people talking about it. Most people I talk to are familiar with oauth but you mention pkce and they don’t know it
  
  Thu, Oct 26, 2023 9:03am -07:00

Posted in /replies using quill.p3k.io