java - Facebook 'code' parameter as part of query string for OAuth authentication

275

Even though Authorization Code is short-lived comparing to Authorization token, isn't there a vulnerability in sending it in 'GET' as a query string? Isn't it similar to sending password using GET method?

In other words, after authentication facebook redirects user's browser to mysite.com sending the authorization code as a query string. Isn't it un-encrypted? middle man who is listening to your packets can read it and use it to highjack your session (session at mysite.com)?

Say,

  1. I blocked the redirect (after getting the 'code' from facebook) on my browser side (using some browser add-on/plug-in)
  2. I copied the complete redirect URL (www.mysite.com?code=AQCOtAV..blah) and trying it from a different browser.
  3. the request will go through and mysite.com will contact facebook with inbound Authorization Code along with secretKey and clientId and Authenticate and generate Authorization token (I haven't really tried this step : step 3)

I know I am missing something here. Kindly help me out.

348

Answer

Solution:

Thanks @Z├│lyomi for pointing out that even though the authorization code is sent across as a query parameter, its using HTTPS to send.

Answer: The query string sent across https is secure. No matter which http method GET or POST you are using, its encrypted and no middleman can listen to it. More info. Is an HTTPS query string secure?

However for numerous other reason sending the password in query string is not a good practice (password may appear in server logs as plain text as part of the URL etc). But that doesn't apply here because the Authorization code is a short lived one and its useless once its exchanged for the Authorization token.

People are also looking for solutions to the problem: php - How to read data from excel using with PHPExcel

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.