Stream: implementers
Topic: Oauth2 Limitations
Oliver (Nov 13 2018 at 19:14):
This is an Oauth2 question. Let's say I have a server side application and I am granting a user access permissions via their client-side app and I want to manage multiple sets of scopes. I can authenticate and authorize the user but I haven't found a way to reliably verify the identity of the client application. The client ID and client secret are readily available in the browser source and could be inspected and taken/used by a hacker, which would totally change any restrictions I place on client access. This matters if I have a layer of RBAC based scopes for the user but also for the client and want to manage those permissions for access as well as security. Is there a way to solve this in either Oauth2 or from a wider architectural standpoint? It seems like an obvious problem that must have an existing solution. Thanks
Michele Mottini (Nov 13 2018 at 20:50):
apps cannot fake the redirect URL
Adam Flinton (Nov 15 2018 at 08:34):
possibly of interest: https://openid.net/wg/heart/
Last updated: Apr 12 2022 at 19:14 UTC
