How exactly hash fragment based security works?

前端 未结 1 1088
太阳男子
太阳男子 2021-02-02 16:49

I\'m learning OAuth 2.0 and couldn\'t get the way of securing access token in implicit grant flow. There are some theses in specification and some upvoted SO an

相关标签:
1条回答
  • 2021-02-02 17:25

    The OAuth Provider sends the Access Token back to the OAuth Consumer with a HTTP Response redirect:

    HTTP/1.1 302 Found
    Location: https://consumer.org/redirect_uri#access_token=1111-2222-3333-4444
    

    Note how the access token is sent through the network, as part of the HTTP response from the OAuth Provider, which ALSO should be on HTTPS in addition to the consumer.

    Your browser will then perform a new HTTP GET request to the consumer endpoint:

    GET /redirect_uri HTTP/1.1
    Host: consumer.org
    

    Note how the access token is NOT sent to the consumer through the network. The server at consumer.org will not receive the token in this HTTP request. Instead the web page returned from https://consumer.org/redirect_uri will contain javascript that is able to and will read the access token from the url fragment.

    Consequently, you need to trust the javascript code that you receive from consumer.org (by using HTTPS) because if an attacker can inject code, it can also indirectly obtain the access token (and send it anywhere).

    Example of HTTP response from the consumer:

    200 OK
    Content-Type: text/html
    
    <html><head><script> 
        alert(window.location.hash) 
    </script>
    </head><body></body></html>
    
    0 讨论(0)
提交回复
热议问题