I have been reading different flows of OAuth and have confusion about the Authorization Code flow. It is said that Authorization Code Flow is more secure because even if the authorization code is hijacked while transfer, it is useless to the hacker because the the hacker would need the client id and client secret to acquire the access token - but what if when the client requests for access token after receiving the authorization code, the hacker hacks the transmission and get the access token? I don't know but it looks like the Authorization code is only adding an extra layer of security but not actually completely securing the access tokens. Am I right? Please correct me.
2 Answers
0
votes
The typical use case for an Authorization Code flow is that the token request (i.e. the one that exchanges the Authorization Code for an access token) is done over a TLS protected backchannel which means that the attacker cannot get to it - unless he's able to break SSL in which case there are much bigger problems.
But for front-channel use case, i.e. an in-browser Javascript application or Single Page Application you are right: a hacker could almost just as easy intercept the token request as the redirect. That is also why that use case cannot use a confidential client since the secret would be too easily exposed.
0
votes
The Authorization code flow makes sense when you have a frontend client which also has access to a backend which can securely talk to the auth server.
The flow would be as follows:
- The frontend client redirects the user to the auth server url
- the auth server (after login), redirects the user back to the frontend client redirectUri
- the frontend client extracts the code from this url and passes it on the backend.
- the backend then exchanges this code for an access token by directly interacting with the auth server.
The backend to auth server communication is what the hacker can't intercept (easily).
