-
Notifications
You must be signed in to change notification settings - Fork 0
get_before_authorization_code_exchanged
https://www.oauth.com/oauth2-servers/server-side-apps/authorization-code/
When an authorization_code is retreived in a redirect_uri, we have to exchange this code for an access_token with a POST request. This operation is called "authorization_code exchange". During this exchange, the authorization_code is invalidated, it can be used only once. So, after "authorization_code exchange" we are in a "secure" environment.
Make some GET requests before exchange mean that the authorization_code can be sent outside accidentally.
The Referer header https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer is the danger. Check if the redirect_uri containing the authorization_code is not send.
If the authorization_code is sent before exchanged, it represents a potential session leak if someone else exchange this code for an access_token.
Check "referrer-policy" on your server. https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns