OAuth is an authorization framework found in the websites that allows user to login or sign up using their social media account.
Let’s discuss in very laymen terms:
Suppose you need to Login on a website example.com but you don’t want to type your information required for Login so you decided to use your Gmail account for Login and then all the details that are needed for Login on example.com will be taken from Gmail. And you will be logged in to the website.
It’s a way of sharing access to specific data between applications. The sharing process is basically the interactions of three parties:
1)Client Application: website that is asking for data access.
2)Resource Owner: the user whose data is accessed by client application.
3)OAuth service Provider: the website that controls the user’s data and its accessibility.
How the data is taken from Social media website?
Suppose you are going to login on medium.com and you found a button Login using google then medium send an authorization request to Gmail.com and requesting the required data from Gmail.com. Let’s take each step one by one:
There are two ways to grant the access the access from the website. These ways are known as grant type.
A) Authorization Code grant type
B) Implicit grant type
Authorization Code Grant type
In this grant type, the client application and OAuth service provider use redirects to exchange series of Browser based HTTP requests that used to initiate the flow. The user consent is then asked to grant the access. If they accept, the client application is given an “authorization code” which is then used to get the “access token” from the OAuth service provider. This access token is then used by API to fetch the relevant data of the user.
After getting the “authorization code”, the access token request and API call all done in a secure channel, that is invisible to end-user.
GET /callback?code=a1b2c3d4e29g47h8&state=ae13d489bd00e3c24 HTTP/1.1
3)Access Token grant:
GET /userinfo HTTP/1.1
Authorization: Hacker z0y9x2w9v1u1
Implicit Grant type
In this grant type, all the process is same as the authorization code grant type but the key difference is that as in authorization code grant type, we first get the authorization code and then exchange it for access token but in implicit grant type the client application receives the access code immediately after the consent from the user.
In this grant type, the exchange of data is not through the secure channel which lead to insecure communication and can be tampered in the middle and attacker can get the data easily.
That’s why implicit grant type is more vulnerable than authorization code grant type.
Let’s solve a Practice Lab regarding the OAuth Vulnerability:
We are going to solve Photo print a vulnerable practice lab for OAuth2.0
You can see that in the Burpsuite intercept window the authorization request for OAuth. In the request you can see that response_type=code it shows that our grant type is Authorization code grant type.
Here you can see code=80352, the authorization code we got after the user grant access to the content. This code is then used for getting the access token in case of Authorization code grant type.
Now, a secure channel gets established and API called with this code and Client application get access to the content which it has requested from the owner.
Now suppose I want to login again and I used that code again then our application. So, what you think we will be logged in or not. Absolutely not but this application grant us the access with the same code we used earlier and this is vulnerability in the OAuth functionality of the application called Reusing the access tokens.
This is whole idea behind OAuth2.0 authentication and vulnerabilities present due to improper implementation of framework.
Keep learning and growing.