I\'m learning OAuth 2.0 and couldn\'t get the way of securing access token in implicit grant flow. There are some theses in specification and some upvoted SO an
The OAuth Provider sends the Access Token back to the OAuth Consumer with a HTTP Response redirect:
HTTP/1.1 302 Found
Location: https://consumer.org/redirect_uri#access_token=1111-2222-3333-4444
Note how the access token is sent through the network, as part of the HTTP response from the OAuth Provider, which ALSO should be on HTTPS in addition to the consumer.
Your browser will then perform a new HTTP GET request to the consumer endpoint:
GET /redirect_uri HTTP/1.1
Host: consumer.org
Note how the access token is NOT sent to the consumer through the network. The server at consumer.org
will not receive the token in this HTTP request. Instead the web page returned from https://consumer.org/redirect_uri
will contain javascript that is able to and will read the access token from the url fragment.
Consequently, you need to trust the javascript code that you receive from consumer.org (by using HTTPS) because if an attacker can inject code, it can also indirectly obtain the access token (and send it anywhere).
Example of HTTP response from the consumer:
200 OK
Content-Type: text/html
<html><head><script>
alert(window.location.hash)
</script>
</head><body></body></html>