README recommends dangerous usage of deeplink redirects containing access token #440
Comments
|
@macmccann hello mate, thanks for reporting this issue, any PR is welcome! <3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As detailed in Stytch's blog post on PKCE and You're probably doing oauth wrong on android, there are still vulnerabilities with deeplink redirection even when using App-claimed https scheme redirects.
The README implies that the URL returned from
openAuthshould return a long-term access token via the lines// Validate the stored access token (Maybe with a request)and
This is dangerous for developers who don't understand the OAuth flow as they may be tempted to return the permanent access token from a successful web OAuth authorization flow, which could be intercepted by a malicious developer and used to gain access to client resources.
The current gold standard for OAuth2.0 is to return an authorization code in the deeplink redirect and PKCE to exchange for the true access token. The
openAuthdocumentation should ensure developers know this, preferably with some scary language in the example portion of the code around deeplinking, e.g. "DO NOT return any permanent secret tokens in this deeplink redirect!"The text was updated successfully, but these errors were encountered: