Password Credential Client and Secret

I've been looking through some of the Laravel Passport / League Oauth2 code and discovered a possible SECURITY flaw if someone (i.e. me!) makes bad assumptions.

To make a "password" grant (i.e. /oauth/token with grant_type=password), Laravel requires there to be a client_secret, client_id, username and password. It then checks if they all match; this is working.

To make a "client_credentials" grant (i.e. /oauth/token with grant_type=client_credentials), Laravel requires there to be a client_secret as well as an ID; however the client_secret and client_id combo is the same.

Now, let's say that I write a naïve application like the following:

User enters their username 'john.doe';
User enters their password 'password'.

That's all fine.

However, let's suppose this is a JavaScript Hybrid SPA and I pull the client_secret and client_id out of the client. IIRC this shouldn't be too hard to do.

Now, let's be even MORE evil:

I hop onto "postman" or just use curl;
Then enter my username 'admin';
Then enter a random 'password';
Fire off a 'client_credentials' request.

I then get a valid token back.

Now because of the somewhat naïve SPA I'm working with, I reinsert that token into its database/local store (or whatever) and voila!

Guess who just became a user called 'admin'?

Am I missing something here?

lloy0076

9 years ago

Level 1

So, technically, I suppose this isn't a flaw; it's just dawned on me that the 'sub' should be set to some integer in this case and the SPA should at least check that.

Nonetheless it did catch me by surprise :)

I do wonder if the client_credentials secrets and password_grants secrets should be the same.

Please or to participate in this conversation.