current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 1 down vote favorite

Javascript based oauth exposes the client id of the application and it trusts only on the domain requesting the access token. The domain name can be forged with a dns hijack(or a virus affecting /etc/hosts). Then why is javascript based oauth supported by Google, facebook for clients not using HTTPS ? Or Am I missing something?

share|improve this question
add comment

1 Answer

up vote 0 down vote

OAuth 2.0 pretty much requires HTTPS, as it doesn't have any means to make tokens secure. So, if google and facebook actually allow you to use OAuth2 over plain HTTP that is bad. Are you sure that is the case? I thought both of them are https-only for quite some time.

On the other hand, OAuth1 works fine over plain HTTP as it has it's own layer of secure digital signatures

share|improve this answer
    
If I have a domain x.com which uses oauth. x.com can use http though communication with google is https. This means somebody can impersonate as x.com and get privileges that are supposed to be given to x.com. Shouldnt the sites(x.com) also be enforced to use https? –  kalyan Apr 20 at 6:50
    
ah… no. that's not a problem, as OAuth has a step for server-side validation. see blog.cloudfoundry.org/2012/10/09/… for a diagram –  JimiDini Apr 20 at 11:45
    
but in a javascript sdk there is no server side. Its all client side –  kalyan Apr 21 at 8:56
    
ok. I hope I finally understand your issue. You're afraid that forging domain will leak data stored in user's browser. Well, Google just can't realistically do anything about it and even can't reliably detect this situation. It is similar to dedicated app authentication and attachment to hostname is strictly your local twist. Local application without server-side confirmation can issue any type of request putting any hostname in headers/parameters. As long as Google can't verify them they can't help you. –  JimiDini Apr 21 at 11:29
    
Yeah so in that case shouldn't it be responsibily of Google to push https for client side apps? or completely remove javascript support? –  kalyan Apr 21 at 12:21
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.