IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  OAuth , Requesting protected resource with access token on query parameter

    Posted Tue June 30, 2020 01:21 PM

    Hello,

    We are running with  a situation in our app where we need to load webviews/Iframe with accesstoken on query parameter.

    Following works when access direct:
    curl -k -L https://www.portal.com/app/mobile-demo/diag/rest.jsp' -H 'Authorization: Bearer FcyTEVfjoY46Mwgkps7p'

    But when we try to load webview on ios with following then it doesn't work
    curl -k -L "https://www.portal.com/app/mobile-demo/diag/rest.jsp?access_token=FcyTEVfjoY46Mwgkps7p"

    I also tried to add transformation script with traps request on specific junction and transforms it to OAuth request with Authorization Bearer token

    curl -k -L "https://www.portal.com/webview?token=FcyTEVfjoY46Mwgkps7p&URI=/app/mobile-demo/diag/rest.jsp"

    Tried Transformation script  with redirect as well as forward to URI with "Authorization: Bearer FcyTEVfjoY46Mwgkps7p" on header


    Unable to understand what is wrong




    ------------------------------
    Piyush Agrawal
    ------------------------------


  • 2.  RE: OAuth , Requesting protected resource with access token on query parameter

    Posted Mon July 27, 2020 06:32 AM
    Is there anyone who has tried this?

    ------------------------------
    Piyush Agrawal
    ------------------------------

    Original Message


  • 3.  RE: OAuth , Requesting protected resource with access token on query parameter

    Posted Tue August 04, 2020 07:18 PM

    As per oauth spec, have you validated that passing an oauth token as query parameter is a recommended practice ? I believe the specs describes the inherent risks associated with such approach and this why this is no no approach. 

    Then I guess next question in line is why you don't let mobile app negotiate for itself it's own token ? You can share a bit more of your use case ?
    Authorization grant code flow is one example of way to go with mobile apps that works ok. 



    ------------------------------
    Sylvain Gilbert
    ------------------------------

    Original Message


  • 4.  RE: OAuth , Requesting protected resource with access token on query parameter

    Posted Wed August 05, 2020 02:33 AM
    as far as I remember right, it's allowed to pass the token as query parameter. But per spec it's a "MAY" so it's optional. And, at least in 9.0.5, the version we implemented the idp originally, it hasn't been implemented and needed to be added. Anyway it was a larger project implementing all the needed "MAY" features with OAuth and especially OIDC. So if there is no real need for the optional implementations, I'd suggest to stick with the available options. Just don't use implicit flow for security reasons.

    ------------------------------
    Jens Petersen
    ------------------------------

    Original Message


Related Content