Section 4.1 of RFC 8252 describes the OAuth authorization flow for native apps using the browser (i.e., external user-agent). In this flow, the native app receives the authorization code in step 4 by setting the redirect URI to the loopback IP. This, of course, requires the native app to open a port on the loopback interface and subjects us to attacks where other apps could get the authorization code (unless we use something like PKCE).
Our system is a client-server model where the clients are various custom command line tools with no real user interface. In our deployments, we can’t always guarantee that we will be able to open a port on the loopback (and we’d like to avoid the added security concerns that PKCE addresses). We would like to tweak the flow for our use case but want to make sure we aren’t leaving the door open for security issues. Here is the flow we’d like to use:
- Command line tool initiates intent to perform OAuth flow to Application Server.
- Application Server generates a random in progress session token and a separate random OAuth flow state value
- Application Server stores both values in the database together
- Application Server returns both values to the Command line tool
- Command line tool launches the external user-agent (e.g., browser) and starts the authentication process against the Authorization Server using the OAuth state value provided by the Application Server
- User authenticates
- Authorization Server redirects to the Application Server along with the state value
- Application Server retrieves authorization code and stores it in the database along with the in progress session token and OAuth state value
- Command line tool submits the in progress session token to the application server
- Application server retrieves the authorization code from the database and treats it as if the command line tool provided it
Outside of the potential for DoS abuse on submitting lots of OAuth initiations and the potential for the command line tool to initiate step 9 before the application server has completed step 8, are there other security issues to be concerned with?