0

My understanding is that the OAuth Authorization Code Flow is used to avoid exposing the access token from the User Agent. But why?

I was reading this article (Common OAuth Vulnerabilities) by Doyensec.

It says that the Authorization Code Flow is supposed to be used when you don't want to share the tokens with the user agent.

The Authorization Code Flow is one of the most widely used OAuth flows in web applications. Unlike the Implicit Flow, which requests the Access Token directly to the Authorization Server, the Authorization Code Flow introduces an intermediary step. In this process, the User Agent first retrieves an Authorization Code, which the application then exchanges, along with the Client Credentials, for an Access Token. This additional step ensures that only the Client Application has access to the Access Token, preventing the User Agent from ever seeing it.

source: https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

Ok, the (non-compartimentalized) User Agent (web browser) is probably the most likely vector of attack these days. The chances of it being compromised are pretty high. It makes sense to me that you wouldn't want to expose secret things to chrome or firefox, if you can avoid it.

But in this case, the user has already entered their account credentials into the User Agent! And the access tokens would only grant the same (or less!) access as the user's main account credentials.

So why bother trying to hide tokens from the User Agent?

Improve this question
0

1 Answer 1

Reset to default
1

The quote isn't really accurate. Implicit Grant has far more fundamental security issues, which is why RFC 9700 explicitly recommends against it, and the draft for OAuth 2.1 removes it entirely.

To first answer your question: The attack scenario isn't a malicious user agent. As you correctly point out, an attacker who has compromised the user agent can already get the (far more valuable) user credentials. Instead, the concern is that the access token may leak through the user agent. For example, in Implicit Grant, the redirection URL points to a client-hosted HTML page with an embedded script that extracts the access token from the fragment part of the URL. This page may have cross-site scripting vulnerabilities which allow an attacker to obtain the token. In the past, Chromium also leaked the fragment through Content Security Policy reports.

But an even bigger problem is that Implicit Grant doesn't involve client authentication and doesn't bind the access token to a particular client. This allows an attacker who has stolen an access token from any client to impersonate the resource owner towards a legitimate client. For example, assume a resource owner has accounts at the OAuth clients client1.example.com and client2.example.com. If an attacker manages to steal an access token for the resource from client1.example.com, they can initiate Implicit Flow at client2.example.com, inject the stolen token and impersonate the resource owner towards the second client. That client may then leak owner-related data beyond the resource itself.

In comparison, Authorization Code Grant binds the code to the client by checking if the redirection URL provided in the access token request matches the redirection URL from the previous authorization request. So an attacker who has managed to steal a code from client1.example.com cannot simply use it for an arbitrary client2.example.com. Additionally, the client is authenticated when it tries to exchange the code for an access token (if it has credentials). So stealing an authorization code isn't enough to gain access to a resource.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.