how to secure /oauth2/userAuthorize

guy_hagemans · 10-24-2016 04:58 AM

Dear community,

following the oauth2 example of Apigee

http://docs.apigee.com/api-services/content/oauth-v2-policy-authorization-code-grant-type

I want to ask; how to secure the /oauth2/userAuthorize endpoint?

For this resource in the /oauth2 proxy, the apikey in the form of a client_id needs to be sent in order to receive an access_code. But the apikey is not hidden from the user, as it is shown/used by the webserver. So as far as I can see, any user can mitigate the login steps and retrieve a auth-code as step 1?

thanks!

Report Inappropriate Content

Hello @GuyH,

The Client_Id that is passed through the webserver is associated with the developer app in edge portal. Until the app is added to the api proxy product in Apigee, the access to the api proxy and the resource is not allowed for the client app. In this way, you can control app accessing the api proxy containing the intelligence to generate the auth code.

Does it make sense ?

ozanseymen

Hi @GuyH - Let me comment sentence by sentence on your last paragraph.

"the apikey needs to be sent in order to receive access_code"

apikey needs to be sent in order for IdP to identify the client (note that this is not the same thing as authenticate) and display the login page. The end result - after authentication - is an authorization code not an access code as an authorization code doesn't provide "access" to anything. It just signifies the fact a user has provided correct proof of identity using this particular client identified by the client id.

"any user can mitigate the login steps and retrieve a auth-code as step 1"

yes, any user can open the login page if that is what you mean. They can get an authorization code by providing their credentials if they wish but that authorization code will be tied to their account and it is, as I mentioned before, useless.

In order to get a token that is actually useful, you need an access token. And in order to get that, you need an authorization code, full client credentials with the secret and many others.

Now your next logical question should be about how to prevent someone tricking you into using their authorization code. The answer is too long to be put here but have a search on the use of "state" parameter in OAuth. This parameter is optional in authorization code grant but in my view it should be mandatory. I am planning to write a community article on this very shortly. I will update this with a link when I do.

Report Inappropriate Content

Hi @Ozan Seymen, @Alex Koo - It looks like in the Apigee oauth-advanced sample there is no check for a successful user login before generating an auth code. Any third party application developer who has a valid client id can generate an auth code without user login/consent.

POST /oauth2/userAuthorize HTTP/1.1

Host: myorg-test.apigee.net

Content-Type: application/json

{

"client_id": "my_client_id",

"state": "123",

"redirect_uri": "https://myorg-test.apigee.net/web/callback",

"scope": "read",

"response_type": "code",

"username": "any_user"

}

The above request will redirect to the redirect_uri with the auth code and then I can generate an access token from it.

akoo

Hi @Bibin Kurian, a few important notes:

1) Getting an access token from having an auth code requires client id and client secret. If you're a nefarious hacker, you still need to get the client secret (which should not be an easy task).

2) redirect_uri cannot be any redirect_uri that you wish. Edge checks that the redirect_uri matches the one registered in Edge for that client_id.

3) Scopes, states, and any user-specific information may be incorrect if you're making the auth code request up, and thus the access token may be unusable for future steps.

4) Furthermore, as one who implements the above flow, you may wish to isolate who can call the authorization code generation endpoint. You can do this through IP whitelisting, network isolation, or other means.

Report Inappropriate Content

Hi @Alex Koo, Thanks for the reply!! But the problem here is a user login/consent is not required to read/write that user data.

akoo

Hi @Bibin Kurian,

Could you further explain who is trying to read/write that user data in your situation? If the who is an external nefarious hacker, my 4 points above will all provide problems.

Report Inappropriate Content

Hi @Alex Koo, The one who is trying to read/write user data is an untrusted application developer who obtained application credentials by registering the application in the developer portal. Isn’t the user login/consent required in this situation to read/write his data? Please let me know if you need any clarification.

akoo

Hi @Bibin Kurian,

As the application owner who holds the data, you already have access to read/write whatever data you want. The user has already trusted you with this information. There is a lot of trust required (or EULAs or certifications like HIPAA) from the end-user when submitting information that you may be able to access as the app owner. If you ignore the authorization code endpoint for a moment, what stops you as the app owner from looking at the database where the end-user's data was entered?

As the application owner who doesn't own the data and is getting it from another source (e.g., access to Google contacts or Facebook friends), you're using Google/Facebook's authN/authZ system where they will validate permissions on their token(Not Edge's!). In this case, they hold the data.

If there's still confusion, please provide a use case with the specific data the untrusted application developer would be accessing on the end-user's behalf.

Report Inappropriate Content

Hi @Alex Koo,

I own the data but I am not the application owner. An example use case is I exposed few APIs to read patients data like test results, medications, appointments etc.. These APIs are protected using OAuth 2.0.

An untrusted application developer want to develop an application which displays the patient data like test results, medications, appointments using the above APIs. In this case, the app developer can register his application in the hospital’s API developer portal and obtain the client id and secret. What I want to make sure is that before generating an auth code patient granted consent for the app to fetch the data on his behalf.

akoo

Hi @Bibin Kurian,

As an untrusted application developer, I would not know the auth code endpoint that the login app uses. Only the login app would need to know that (which would be setup beforehand). The login app could also have specialized access that is locked down by IP white listing, private network, or some other tighter security means.

The only output from the login app is a 302 redirect to the user-agent (which at that point includes the auth code).

Report Inappropriate Content

Hi @Alex Koo,

Thanks!! So for the Apigee oauth-advanced sample, auth url is https://myorg-test.apigee.net/loginapp/login and token url is https://myorg-test.apigee.net/oauth2/token like for Microsoft, auth url is https://login.microsoftonline.com/common/oauth2/authorize and token url is https://login.microsoftonline.com/common/oauth2/token ? Is that correct?

akoo

Hi @Bibin Kurian,

I don't know MS's OAuth 2.0 auth code process all that well, but from the brief research I did, yes, you look to be correct.

akoo

Hi @Bibin Kurian,

For future questions, please consider creating a totally separate question rather than asking in the comments. That will make it easier for others to find this information.

Thanks!

Report Inappropriate Content

@Alex Koo

Sure. Thanks for the help!!