Out of Band OAuth2 Authorization

[condemil]

Do you want to request a feature or report a bug?

I want to request a feature

What is the current behavior?

When urn:ietf:wg:oauth:2.0:oob or urn:ietf:wg:oauth:2.0:oob:auto specified as redirect_uri, the HTTP 302 redirect forwards browser to specified url.

What is the expected behavior?

After successful completion of auth flow instead of redirecting to redirect_uri the browser goes to hydra page with the following header:

Success state={{state}}&code={{code}}&scope={{scope}}&...

The page itself contains the information about authentication.

For urn:ietf:wg:oauth:2.0:oob:

For urn:ietf:wg:oauth:2.0:oob:auto:

More information about the OOB urls can be found here.

Which version of the software is affected?

1.0 beta 9

[aeneasr]

Since we don't implement UIs in ORY Hydra (and won't change that) this has to be solved another way. Maybe use a redirect URL which shows the authZ code used for pasting?

[condemil]

Then hydra can redirect to URL that can be a part of login, consent or other provider. And that provider render page according to other OAuth2 implementations that support oob.

[aeneasr]

urn:ietf:wg:oauth:2.0:oob does not seem to be an official namespace, it's at least not possible for me to find the specification for it anywhere. In fact, it seems to be a google-specific value and IETF folks really don't like it:

urn:ietf:wg:oauth:2.0:oob is a google thing that is not part of the OAuth 2 specification.I think it was mostly a windows thing.It is not a real redirect URI it is used as a flag to the authorization server to have the result returned “Out Of Band” and the user cut and paste the token.On windows applications could snoop the title bars of other apps so programatically retrieve the token value from the title bar.I don’t really want to put effort into expanding all the reasons this is not secure.I don’t honestly know what would happen if you sent that redirect URI to a non Google AS probably nothing good.   It is not part of the OAuth specification and not something people should use without having a good reason and understanding the security implications.William and I documented several ways to impliment native applications on OSX and Windows in RFC8252.

As such, this will not be added to ORY Hydra but I'm sure you can work around this by implementing an app with a dedicated redirect url http://my-out-of-band/app/which/is/not/that/secure that handles this.

[aeneasr]

Closing due to reasons given above, feel free to elaborate if you think this is a bad decision or if you have questions on how to implement this yourself!

[condemil]

I see that other OAuth2 providers, such as Azure, also have it. The use-case for that is when you don't have a web-server, like a CLI utility that shares a link to start OAuth2 flow and wants you to paste back the code once flow is over.