CyberSecurityBoard
Sponsor Register Login

From Implicit to Authorization Code With PKCE, BFF

Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse.
The Implicit Flow had several security vulnerabilities, such as token interception and theft.
The latest advancement shown in the diagram is the Authorization Code Flow with both PKCE and BFF. This approach combines the benefits of PKCE with additional backend protections, further mitigating vulnerabilities like persistent token theft.
To summarize, the Implicit Flow in OpenID Connect involves redirecting the user to the OpenID Provider for authentication, the user submits their login credentials, and the application receives an access token and ID token in the redirect response, which is then used to access protected resources.
If the application only involves a frontend component, many of these vulnerabilities can be mitigated by using the OpenID Connect Authorization Code Flow with PKCE. In the next section, we will examine these flows and explore how they mitigate the vulnerabilities present in the Implicit Flow, providing a safer mechanism for handling and transmitting tokens.
This code challenge is sent with the initial authorization request, ensuring that the code verifier is used later to prove that the true originator of the authorization request is asking for a token in exchange for the authorization code.
Upon successful authentication, the OpenID Provider redirects the user's browser back to the specified redirect uri with an authorization code included in the URL. The authorization code is a short-lived, one-time code that the client exchanges for an access token.
The client application sends an asynchronous request to the OpenID Provider's token endpoint to exchange the authorization code for an access token.
To summarize, the Authorization Code Flow with PKCE in OpenID Connect involves redirecting the user to the OpenID Provider for authentication, the user submits their login credentials, the application receives an authorization code in the redirect response, and then securely exchanges this code for an access token using PKCE. This flow enhances security by ensuring that the authorization code can only be used by the client that requested it, significantly reducing the risk of token interception.
Code Interception Attack: PKCE ensures that the authorization code can only be exchanged for tokens by the client that requested it, preventing attackers from intercepting the code during the redirect.
Token transmission via URL: PKCE does not send tokens in the URL, reducing the risk of tokens being intercepted from the address bar, browser history, logs, and HTTP referrers.
Lack of refresh token support: PKCE supports the use of refresh tokens, allowing secure, long-term session maintenance without frequent requests for new tokens, thereby reducing the chances of token leakage and misuse.
The Authorization Code Flow with PKCE, combined with a backend, addresses many security concerns effectively, providing a more secure mechanism for token handling and transmission.
It includes redirecting the user to the OpenID Provider for authentication, the user submitting their login credentials, the OpenID Provider returns an authorization code in the redirect response, and then the application securely exchanges this code for an access token.
This flow enhances security by ensuring that the authorization code can only be used by the client that requested it, significantly reducing the risk of token interception.
In the next section, we will examine this diagram and explore how PKCE prevents code interception attacks effectively, providing a more secure mechanism for token handling and transmission.
PKCE ensures that the authorization code can only be exchanged for tokens by the client that requested it, preventing attackers from intercepting the code during the redirect.
The BFF handles authentication and token management on the server side, preventing the access token from being exposed to the end-user.
The BFF pattern adds another layer of security by preventing access tokens from being exposed to the end-user's device.
Moving to more secure methods, the Authorization Code Flow with PKCE, both in frontend-only and backend-involving implementations, significantly reduces risks associated with token interception and theft.


This Cyber News was published on feeds.dzone.com. Publication date: Mon, 01 Jul 2024 17:13:05 +0000


Cyber News related to From Implicit to Authorization Code With PKCE, BFF

From Implicit to Authorization Code With PKCE, BFF - Lack of Refresh Token Support occurs when there are no refresh tokens, and frequent requests for new tokens are necessary, increasing the chances of token leakage and misuse. The Implicit Flow had several security vulnerabilities, such as token ...
3 days ago Feeds.dzone.com
CVE-2024-23647 - Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the ...
4 months ago
CVE-2024-22258 - Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. ...
3 months ago
Cisco Defense Orchestrator's Path to FedRAMP Authorization - Today I'd like to shed some light on the status and processes involved for one of these solutions as it moves forward on achieving FedRAMP® Authorization-Cisco Defense Orchestrator. Moving forward on FedRAMP. Cisco has made great progress in moving ...
1 month ago Feedpress.me
CVE-2020-7692 - PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial ...
2 years ago
Zero-Trust Architecture in Modern Cybersecurity - Clearly, organizations need more robust cybersecurity protections in place, which is leading many to adopt a zero-trust architecture approach. Zero-trust flips conventional security on its head by shifting from an implicit trust model to one where ...
3 months ago Feeds.dzone.com
CVE-2023-50714 - yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` ...
6 months ago
The Evolution of Authorization Controls: Exploring PBAC and Its Benefits - There has been a substantial trend toward improvement of authorization capabilities and controls. Policy Based Access Control provided by advanced authorization and access control system is progressively displacing more basic and traditional ...
5 months ago Cybersecurity-insiders.com
Infinispan Insights: Security Basics and Secured Caches - Infinispan uses Role-Based Access Control for authorization. Security realms integrate Infinispan Server deployments with the network protocols and infrastructure in your environment that control access and verify user identities. Infinispan ...
5 months ago Feeds.dzone.com
CVE-2023-41081 - Important: Authentication Bypass CVE-2023-41081 ...
9 months ago
CVE-2024-37891 - urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* ...
2 weeks ago
CVE-2019-3778 - Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A ...
3 years ago
CVE-2021-41238 - Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive ...
2 years ago
CVE-2021-21411 - OAuth2-Proxy is an open source reverse proxy that provides authentication with Google, Github or other providers. The `--gitlab-group` flag for group-based authorization in the GitLab provider stopped working in the v7.0.0 release. Regardless of the ...
3 years ago
Red Hat OpenShift Service on AWS obtains FedRAMP "Ready" designation - This means that Red Hat is now listed on the FedRAMP Marketplace as actively pursuing JAB authorization, with additional updates showing our progress and achievements across the two paths for authorization: The existing Agency Authority to Operate ...
3 months ago Redhat.com
CVE-2017-18924 - ** DISPUTED ** oauth2-server (aka node-oauth2-server) through 3.1.1 implements OAuth 2.0 without PKCE. It does not prevent authorization code injection. This is similar to CVE-2020-7692. NOTE: the vendor states 'As RFC7636 is an extension, I ...
3 years ago
CVE-2023-27490 - NextAuth.js is an open source authentication solution for Next.js applications. `next-auth` applications using OAuth provider versions before `v4.20.1` have been found to be subject to an authentication vulnerability. A bad actor who can read traffic ...
1 year ago
The Exploration of Static vs Dynamic Code Analysis - Two essential methodologies employed for this purpose are Static Code Analysis and Dynamic Code Analysis. Static Code Analysis involves the examination of source code without its execution. In this exploration of Static vs Dynamic Code Analysis, ...
5 months ago Feeds.dzone.com
CVE-2023-32312 - UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is ...
1 year ago
Meta releases 'Code Llama 70B', an open-source behemoth to rival private AI development - Meta AI, the company that brought you Llama 2, the gargantuan language model that can generate anything from tweets to essays, has just released a new and improved version of its code generation model, Code Llama 70B. This updated model can write ...
5 months ago Venturebeat.com
CVE-2023-26451 - Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client ...
10 months ago
Understanding the OWASP API Security Top 10: Why BOLA is the Number One Risk for APIs - Understanding and addressing vulnerabilities is critical in cybersecurity, where APIs serve as the backbone for seamless data exchange. Among the vulnerabilities highlighted, Broken Object Level Authorization stands out as a top priority and a major ...
3 months ago Imperva.com
CVE-2022-39859 - Implicit intent hijacking vulnerability in UPHelper library prior to version 3.0.12 allows attackers to access sensitive information via implicit intent. ...
1 year ago
CVE-2022-39905 - Implicit intent hijacking vulnerability in Telecom application prior to SMR Dec-2022 Release 1 allows attacker to access sensitive information via implicit intent. ...
1 year ago
CVE-2024-20822 - Implicit intent hijacking vulnerability in AccountActivity of Galaxy Store prior to version 4.5.63.6 allows local attackers to access sensitive information via implicit intent. ...
4 months ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)