0b279b2bf2
* Create rule S7164 * Initial content * Additional content --------- Co-authored-by: jamie-anderson-sonarsource <jamie-anderson-sonarsource@users.noreply.github.com> Co-authored-by: Jamie Anderson <127742609+jamie-anderson-sonarsource@users.noreply.github.com>
11 lines
559 B
Plaintext
11 lines
559 B
Plaintext
=== OAuth token compromise
|
|
|
|
The OAuth 2.0 authorization code grant flow is a secure method of authorizing
|
|
a web application to access a third-party service. After the user authenticates
|
|
with the third-party service and grants access, the web application is sent a
|
|
single-use code. The application must then pass this code and a `client_secret`
|
|
value to the service in order to obtain a usable authentication token.
|
|
|
|
If the `client_secret` value is disclosed, anyone who can intercept the
|
|
single-use code can then exchange it for a valid authentication token.
|