OAuth Best Practice

riquigley
(@riquigley)

7 years, 9 months ago

I have set up a WP OAuth server. I sent the developers on the site that will connect with our site the instructions for authenticating against the OAuth server endpoints. However, the other developers insist that our server (the OAuth server) calls it’s own oauth/authenticate and oauth/token endpoints, generate a user access token, and transmit that access token either through a GIT parameter in the URL that the user clicks, or by setting a 3rd party cookie that they can access to obtain the access token.

I’m not as familiar with Oauth authentication, but it seems to me that there are a lot of security issues by passing the access token around like this instead of having the oauth handshake happen between the two servers. Do other sites authenticate in this fashion? Am I being unreasonable by wanting them to follow the standard procedure? Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Author Justin Greer
(@justingreerbbi)

7 years, 9 months ago

Hey there!

Your concern is not uncommon and is not wrong. There is one thing that is important to remember. There is 2 main types of OAuth protocols. There is OAuth 1.0a and OAuth 2.0. The two protocols are not the same and OAuth 2.0 is not simply an updated version of 1.0a. They are completely different.

It sounds like your developers are looking just for the access token so they do not have to initiate the OAuth flow. This is not entirely unsafe but is not what I would suggest. What they are describing is something that has been noted as Application Passwords. This is where the Server self issues a token and the clients can use the token. This method is usually used to help those that do not understand OAuth and just makes it simpler for them.

I would suggest that if security is your concern, you do not simply given out an access token. I am going to also assume that the other developers are looking to connect in a general sense and not for SSO purposes. If this is the case, then it is not rare to issue just an access token that you generated.

WP OAuth Server does not have this self generate feature built into it but it is possible.

Ultimately, I always suggest sticking with the tried and proven way of OAuth where the clients generate their own tokens. With this said, there is no right or wrong in OAuth. OAuth is simple a guide. I would note though that the drafts are the safest and best way to implement your system.

Hope this helps.

Justin Greer
Thread Starter riquigley
(@riquigley)

7 years, 9 months ago
Hi Justin,
Thank you very much for your perspective.

I am going to also assume that the other developers are looking to connect in a general sense and not for SSO purposes.

It’s not specifically for SSO, but the other developers are hosting sensitive HIPAA data that relate directly to users who have accounts on our system. So, a user logs into our WP site, and if they want to see their medical records, they go to a page on our site that has an embedded iFrame, and within that iFrame the other server loads the medical records. The other developers want me to embed the access token in the iframe url, or set a 3rd party cookie that will allow them to access it. Given the HIPAA aspect of it, I’m weary of proceeding they way they want.
- This reply was modified 7 years, 9 months ago by riquigley.
Plugin Author Justin Greer
(@justingreerbbi)

7 years, 9 months ago

I see. With HIPPA OAuth 2 is enough because there is TLS connections from both sides. I would recommend a new access token/handshake each session with this as well. This would mean that they would need to go through the steps as defined in OAuth 2.

HIPPA is no joke and the simplest way should not be considered to simplicity.

Thread Starter riquigley
(@riquigley)

7 years, 9 months ago

Thank you again, Justin, for your response. I’m glad to know I’m not being concerned unnecessarily.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘OAuth Best Practice’ is closed to new replies.

Tags