4

We have a web app where the back end is composed of APIs. We use OAuth to authorize the web app's call to the APIs. We all know that in OAuth, there is always the Authorization endpoint used to get the Authorization code, which in turn is used to get the Authorization token. In the Authorization endpoint, part of its input parameters is the client_id. Its the identifier for the components that wants to access the resources (e.g. mobile app, web app).

  1. In this case, is the client_id stored in the browser? How would we know where it is stored?

  2. What if a user of the web app was able to successfully authenticate then using OAuth, was given authorization to access the APIs via the web app, but after he uses his machine, the next user was able to get hold of the client_id in the browser. Would he/she be able to access the APIs?

I am asking both since we recently subjected our app to penetration testing and the testers had a lot of issues on the client_id. They said this can be guessed via enumeration and when guessed, can be used to access your resources. Also, if stored in the browser (if your app is a web app), and you're using a public computer, other people can get this and use this to access and use the APIs that your web app uses (if they know what their urls are). I'm confused if this are really valid issues.

bhorkarg
  • 432
  • 2
  • 12
user233194
  • 41
  • 1

1 Answers1

2

Where is the client id stored depends on the architecture of your web application. OAuth 2 defines two client types - public client (which cannot keep client credentials secret) and a confidential client (which can keep client credentials secret).

In any case, the client id is not a secret. This is what OAuth specification says about the client id:

The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication

When it is a confidential client, then the client secret is used to authenticate the client which must be protected. Public clients are generally not authenticated. Many other aspects are validated (one example is redirect url, check the spec for the specifics).

Can an attacker access your API if they get holder of your client id? No, unless they know your client secret. If it is a public client, even then the attacker still needs to provide valid user credentials to obtain the authorisation code, before they can use it to get the access token. Do check out the Threat Model for OAuth for a detailed overview of the threats.

Community
  • 1
bhorkarg
  • 432
  • 2
  • 12