This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Oauth 2.0 password grant type is penetrated

Posted on 07-19-2020 01:48 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We are facing an issue with OAuth 2.0 password grant type. We are using one way TLS for communication. The user name and password are sent in the body of urlencoded type. Still, our penetration team is able to get the credentials. what should be the best practice to avoid this?

0 5 180
Topic Labels
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

our penetration team is able to get the credentials.

You'll have to be more specific about the problem.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

the team is able to get the username and password we are sending in the body as urlencoded one.

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to
Reply posted on --/--/---- --:-- AM

I understand. Exactly how is the team obtaining the password. Can you explain in more detail?

0 Likes

Posted on --/--/---- --:-- AM
pradeepshanmugh
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Please note / consider the below best practice guidance
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4

The OAuth2 working group recommends strongly against the use of this flow entirely

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to pradeepshanmugh
Reply posted on --/--/---- --:-- AM

Yes, the link clearly states not to use. Thanks..

Hope this will support us to change our API security standards.

0 Likes