1. Home
  2. Categories
  3. Coding Help
  4. Is OAuth 1 a problem or not?

Is OAuth 1 a problem or not?

  • Bulb

    Ok, using OAuth 1 at this day and age is kinda :wtf:, and not wanting to even add OAuth 2, which is much better supported everywhere is a :wtf: as well, but histerical raisins and shortage of manpower keep it in place for the time being.

    Now we are replacing some shitty old PHP front-end with a new one written in Angular. And since that runs client-side, it has to contain the client secret, which is needed to calculate the authenticating signatures, so the attacker can easily get it (because the application obviously has to be downloadable without logging in).

    Now does anybody know whether this only degrades the security to the same level of plain bearer token of OAuth 2 (the connection is TLS to keep the authorization token secret) or further?

    1
  • R

    See https://www.synopsys.com/blogs/software-security/oauth-2-0-vs-oauth-1-0/
    The client secret is needed anyway, but I don't think anybody considers the client secret a key that needs real protection. As far as I know the client id also defines which url the user is redirected to, so there isn't much an attacker can do with that client id/secret anyway (in the web flow that is, the mobile/desktop flow could be another matter).

    1 Bulb 1 Reply
  • Bulb

    @robo2 Thanks. Well, I read about the difference, but none of the comparisons I found went about much detail about client secret in public clients and comparison of that specifically to bearer tokens. It does seem to me that revealing the client secret just negates the signatures in the requests, which just makes it equivalent to OAuth 2 just sending the token as is, which is considered good enough by most as long as it is TLS. I just want to be sure there is no other use where it would be a bigger problem.

    1
Log in to reply