This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Is implicit grant_type in OAuthV2 policy actually useful?

Posted on 08-09-2016 02:09 AM
mirene
Staff
Reply posted on --/--/---- --:-- AM

After reviewing the OAuthV2 policy documentation and the OAuthV2 implicit grant_type sample proxy, I am having trouble understanding what is the use of such policy with that grant_type implicit.

The grant_type implicit as per the RFC establishes that no client_secret is required to generate an access token.

The whole point of the access_token is to be able to track it back to an actual app end user and be able to fetch the app end user identifier from it.

If I have have a look at the implicit flow implemented in the sample proxy https://github.com/apigee/api-platform-samples/tree/master/sample-proxies/oauth-login-app, I see that step 3 says

On successful authentication, login application invokes this url and it returns the AccessToken to the Apphttps://$org-$env.$api_domain/oauth/token?client_id=$consumerkey&response_type=code&app_enduser={use...

That /token endpoint is not protected in any way. I see that in the README they suggest passing as a parameter the app_enduser in the token request. I am assuming it is to perform that linking between the access_token and the actual user (although in the example they are not using any <Attribute> to store the app_endUser).

In my opinion this is insecure, anybody knowing the app end user identifier and the client_id could call the token endpoint and get a bearer token, without the user having authenticated at all in the login page, because the token endpoint is not protected at all.

Imagine the scenario where we would be saving that app_enduser as an attribute linked to the bearer token and then we have some other endpoint where we verify the access token and fetch that app_enduser from the token and pass it over to a target endpoint. Any malicious user could be actually impersonating the actual app end user.

My question is then, which would be a secure way of linking the actual app end user to the access token for an implicit grant_type using the Apigee OAuthv2 policy. In my opinion, as things are we can only link the app end user to the bearer token using a grant_type that requires client_secret.

4 5 840
Topic Labels
5 REPLIES 5
Top Solution Authors
View all