Answer the question
In order to leave comments, you need to log in
W
W
WebDev2019-06-11 10:35:51
WebDev, 2019-06-11 10:35:51
What is the danger of "client" oAuth authorization?
Social networks usually offer to log in through them in two ways:
1) Server. The user goes to the social network, from there he is transferred to our site with a certain key, then we use this key + our secret key to get a token.
2) Client. The user goes to the social network, from there he is transferred to our site with a hash token.
The second option usually comes with a footnote that it is unsafe.
It is always mandatory to use SSL.
What is the danger of the second approach? Who and how can intercept such a token?
And I also wonder why it is transmitted in hash? Why not a get parameter, for example?
1 answer(s)
@kirill-93
Any proxy on the way from you to the site sees your request. The administrator of this proxy can easily pull out your hash, cancel your request and repeat on his behalf. Then he will be authorized under your account.
Most likely it was traditionally simple.
L
Lander, 2019-06-11 @kirill-93
us to the site with a hash token
Any proxy on the way from you to the site sees your request. The administrator of this proxy can easily pull out your hash, cancel your request and repeat on his behalf. Then he will be authorized under your account.
Most likely it was traditionally simple.
Similar questions
S
Stepgor2018-12-29 22:08:45
Who knows how to bypass the maximum number of users connected to Oauth?
0Reply
S
E
C
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question