当前位置：网站首页>Oauth2.0 security (take WeChat authorized login as an example)

Oauth2.0 security (take WeChat authorized login as an example)

2022-08-02 16:05:00 【Zhangyu,】

Foreword

User A wants to use the WeChat account to log in to the Z platform (www.z.com), a hacker H wants to transfer the user A who uses the WeChat account to log in to the Z platform to a malicious website (www.h.com) to infringe on A'sPrivacy

Why to verify the legitimacy of redirect_uri

When doing WeChat-related development, you need to configure a secure domain name in the background. The first step of WeChat authorized login is to obtain a Code, there is a parameter here is redirect_uri = z.com, if this address is not under the domain name we set, WeChat will respond to us with an error message,Suppose WeChat does not allow us to set this initial domain name, or set it without verifying it. At this time, hacker H changes the address in the request parameters, and the address that user A agrees to authorize becomes h.com. At this time, hacker H can take it.You can do arbitrary things with the authorization you allow, such as getting your user information, so as an authentication server, the verification of redirect_uri must be done.

Why does the authorization code mode need to apply for code first

To make it safe for sites that don't support https

Assuming that there is no link to obtain the code: User A logs in to the Z platform, and the Z platform directly jumps to the WeChat server to allow the user A to authorize the login and attach the access_token to the redirect URL. If the website of the Z platform is not https, then the access_token will be blocked.exposed

If the Z platform is not a https website, then the hacker H can intercept the code obtained by the Z platform. Isn't it possible that the hacker H can use the code to obtain the token?

This is about the advantages of using code:
code is a one-time use code, after hacker H uses it first, platform Z fails to use this code again, and after a code is reused, according to oauth2The token obtained by the code for the first time in the protocol will be invalid, which will only result in the failure of user A to log in.At least user information is saved, so it is recommended to use https for development

Why is there a secret

It is equivalent to the account password of the Z platform in the WeChat server, appid is the account number, and secret is the password
DNS pollution: After z.com is polluted by DNS, the code is intercepted by hacker H at this time. The Z platform polluted by DNS will not use this code again. If there is no secret, it means that hacker H can use the code.This code is exchanged for token, and the authorization of user A is successfully logged in to h.com
So keeping secrets is crucial
The concept of secret is not found in oauth2.0 (some big guys have found it and let me know), it is currently introduced by major companies,

Let's chat about state

Let's start with an actual scene that doesn't pass state:

Hacker H normally registers to log in to Z platform, this is a normal account H
Hacker H starts to log in to the Z platform, and after obtaining the code, intercepts the next request
Hacker H sends this link with code to user A, and A clicks on the link to trigger the next login session, but what he doesn't know is that he has actually logged into Hacker H's account
User A thinks this is his account to log in, and uploads his important information (such as some personal account password text, personal photos, etc.)
When Hacker H logs in to the account again, he will see the important information saved by User A

Through the above scenarios, you will know why oauth officially recommends using the state value

What is state: ensure the consistency of the device that initiates the login request
If there is a state value, after the link is sent, user S clicks the link on another device to get the token through the code, and Z platform verifies the state and finds that the state of the hacker H device is inconsistent with the state of the user S device, directlyDeny login request