Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate whether user agent token is checked in authorization code flow #540

Closed
louischan-oursky opened this issue Oct 20, 2020 · 2 comments
Closed

Investigate whether user agent token is checked in authorization code flow #540

louischan-oursky opened this issue Oct 20, 2020 · 2 comments
Projects
Nov 2020 Milestone

Comments

@louischan-oursky
Copy link
Collaborator

louischan-oursky commented Oct 20, 2020
edited by kiootic

  1. Attacker generates code challenge
  2. Attacker install malicious app in user, registering a deep link URL same as an existing client
  3. User navigate to authorize endpoint with code challenge generated by Attacker
  4. Attacker's app receive authorization code
  5. Attacker can exchange authorization code using code verifier

According to OAuth threat model, the security of user device is not in our scope.
@keithtkl keithtkl added this to Ready in Oct 2020 Milestone Oct 27, 2020
@keithtkl keithtkl moved this from Ready to Todo in Oct 2020 Milestone Oct 27, 2020
@louischan-oursky
Copy link
Collaborator Author

We can suggest the developer in the documentation and in the portal to use universal links in iOS and app links in Android. The developer must provide a verified domain to enable them. On the other hand, custom URI scheme requires no verification at all so it has a higher risk of being intercepted by a malicious application installed on the device of the user.

@keithtkl keithtkl removed this from Todo in Oct 2020 Milestone Nov 5, 2020
@keithtkl keithtkl added this to To do in Nov 2020 Milestone via automation Nov 5, 2020
@louischan-oursky louischan-oursky mentioned this issue Nov 25, 2020
Closed
@louischan-oursky
Copy link
Collaborator Author

authgear/docs#18

Nov 2020 Milestone automation moved this from To do to Done Nov 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Nov 2020 Milestone
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@louischan-oursky