OAuth 2.0 Authentication Vulnerabilities

Overview

OAuth 2.0 is a widely used framework for authorization that enables users to grant third-party applications limited access to their resources without exposing login credentials. While powerful and popular, OAuth 2.0 is prone to implementation errors, leading to vulnerabilities such as sensitive data leakage and authentication bypass.

What is OAuth?

OAuth enables websites and apps to request limited access to a user’s account on another platform (e.g., Google, Facebook). It does so without the user revealing their login credentials to the requesting site.

Use cases include:

• Accessing a user’s contact list to suggest friends
• Logging into a service using a third-party account

Note: OAuth 2.0 is the standard. OAuth 1.0a is obsolete and very different.

How OAuth 2.0 Works

OAuth involves the following parties:

• Client application – The app requesting data access
• Resource owner – The user who owns the data
• OAuth provider – Hosts the data and the OAuth service (authorization + resource server)

OAuth uses different “flows” (grant types) depending on the context. The two main ones are:

• Authorization Code Grant
• Implicit Grant

General OAuth Steps

1. Client app requests access to specific user data.
2. User logs in and consents.
3. Client receives an access token.
4. Client uses token to access resources.

OAuth Grant Types

Authorization Code Grant (Most Secure)

1. Authorization Request

GET /authorization?client_id=12345&redirect_uri=https://client-app.com/callback&response_type=code&scope=openid%20profile&state=xyz HTTP/1.1
Host: oauth-authorization-server.com

1. User Login & Consent – User logs in and approves scopes (e.g., openid, profile).

2. Authorization Code Redirect

GET /callback?code=abc123&state=xyz HTTP/1.1
Host: client-app.com

1. Access Token Request (server-to-server)

POST /token HTTP/1.1
Host: oauth-authorization-server.com
...
client_id=12345&client_secret=SECRET&redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=abc123

1. Token Response

{
  "access_token": "z0y9x8w7v6u5",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "openid profile"
}

1. API Call

GET /userinfo HTTP/1.1
Host: oauth-resource-server.com
Authorization: Bearer z0y9x8w7v6u5

1. User Data Response

{
  "username": "carlos",
  "email": "carlos@carlos-montoya.net"
}

Implicit Grant (Less Secure)

Best for SPAs and desktop apps.

1. Authorization Request (Note response_type=token)

GET /authorization?...&response_type=token&...

1. User Login & Consent
2. Access Token in Fragment

GET /callback#access_token=...&token_type=Bearer&...

1. Extract Token via JavaScript and use in API Call

OAuth Scopes

Scopes define the specific data or actions the client is requesting. Examples:

• scope=contacts
• scope=openid profile (OpenID Connect)

OAuth Authentication

OAuth is now often used for authentication (SSO-like). Typical flow:

1. User chooses “Log in with social media.”
2. Client app requests basic identity data via OAuth.
3. App uses the data to authenticate the user and start a session.

Key Takeaways

• Authorization Code Grant is more secure than Implicit Grant.
• Validate redirect_uri and state parameters to prevent redirection and CSRF attacks.
• Always use HTTPS and secure back-channels for server-to-server communication.
• Regularly audit OAuth configuration and permissions.

---

Further Reading:

• Hidden OAuth Attack Vectors (PortSwigger)
• OAuth 2.0 RFC 6749
• OpenID Connect