What Do You HATE about OAuth?

From IIW
Jump to: navigation, search

What do you HATE about OAuth?

Wednesday 2F

Convener: Jusstin R.

Notes-taker(s): Scott Fehrman

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

implicit grant

  • originally optimization for SPA / javascript apps
  • more of a cross domain session cookie
  • tokens over insecure channel
  • response injection

grant choice

  • how to pick the correct grant type / flow

resource owner grant

  • security concerns
  • native apps that were not capable to open browser to access auth server


  • down scoping

separation of designation and authorization of resource

  • can send wrong token to wrong
  • confused deputy situation

fuzzy audience restriction

  • does not define an audience restriction
  • bearer tokens can go anywhere

no resource inhibitors 

devices  and native apps

nonce and state

  • state was intended for use by a systems that supported states, a state handle
  • ​code challenge
  • bad names

signed response

  • ​Facebook added this
  • avoid OAuth 1.0 problem on complex crypto

only TLS

no universal grant audit

  • ​common format across flows
  • grant management API (AS)

optionality of scopes

scopes are strings

  • difficult to parse, unstructured, space encoded

auth end point as GET

revocation doesn’t chain

expires_in …

  • ​useless in the real world
  • people use the refresh token

put too much on front channel

redirect URI matching

multiple Authorization Servers

  • A discovery problem
  • random AS attacks
  • Bound discovery

no client notification 

  • ​token state changed

dynamic client registration and authorization requests are separate 

client instance memory

  • ​redirect token fails, refresh expires

Proof of possession

​*not used