Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discordjs OAuth2 Guide is advising deprecated and insecure practices #1370

Open
psibean opened this issue Dec 9, 2022 · 0 comments
Open

Discordjs OAuth2 Guide is advising deprecated and insecure practices #1370

psibean opened this issue Dec 9, 2022 · 0 comments
Labels
t: request Suggestion to add new or change existing content type: enhancement

Comments

@psibean
Copy link

psibean commented Dec 9, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

As per the Getting started with OAuth2 section in the discordjs guide, the guide describes the implicit grant workflow.

It even states:

For basic applications like SPAs, getting an access token directly is enough.

Which is incredibly wrong. For a native app or an SPA, the access token should never be delivered to the frontend.

As per a page on oauth.net:

The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the authorization code flow with PKCE instead.

The best current practices linked above is a new standard draft by IETF regarding best OAuth2 practices and recommendations. The only recommended OAuth2 workflow for Single Page Applications (SPAs) is the Authorization Code Grant with PKCE.

The PKCE workflow works by:

  1. Your backend generates a state parameter, a verifier and a matching challenge code, and redirects your user to the OAuth provider with the appropriate parameters. Refer to RFC-7636 for the PKCE workflow standards.
  2. The user logs in through the provider and is redirected to a frontend SPA URL with a code generated by the OAuth provider.
  3. The SPA then sends the code to the backend.
  4. The backend then submits both the code and the challenge (matching the verifier sent in the original request).
  5. The OAuth provider responds to the backend with an access token and a refresh token - neither of which should be obtained by your frontend client.

Describe the solution you'd like

Remove the implicit grant entirely from the guide.

Describe alternatives you've considered

Add a big red warning advising that the implicit grant is deprecated and insecure and should not be used.

Additional notes

Within the next couple of months I plan on releasing a full discord ouath2 workflow example repo that covers an SPA and secure practices, and I'd be happy for it to be reviewed and used as an example once it's up.
@psibean psibean added the t: request Suggestion to add new or change existing content label Dec 9, 2022
@psibean psibean changed the title Discordjs OAuth2 Guide is recommending deprecated and insecure practices Discordjs OAuth2 Guide is advising deprecated and insecure practices Dec 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
t: request Suggestion to add new or change existing content type: enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@psibean @almostSouji