#StackBounty: FB Oauth CSRF security, PHP website

Bounty: 50

I am experimenting with third party login, using Twitter and Facebook.

After getting access token from these parties, and confirming its validity, I then issue my own JWT token thats used within my application cluster. Only thing I use the 3rd party token for is getting an email address and user id, I don’t interact with the social network in any other way,except for revalidation.Basically its just so that users dont have to fill in new password.

I have several services, each on different subdomain. These services somewhat adhere to philosophy of microservices, and each is responsible for narrow scope of functionality (e.g. UAC, bussines entity repo etc. )

The sole purpose of the JWT token is to decrease auth check complexity among the other services, which shouldn’t be Oauth provider aware. I also dont want to identify which provider they chose in the publicly visible JWT.

I installed third party (offically approved) SDK on the UAC microservice, with which I’m interacting through AJAX request.

Flow i’m worried about is something like this:

  • Request URL from UAC module via AJAX (in turn request the same through SDK)
  • Redirect to obtained URL, user authorizes my app
  • Redirect back to callback uri (on presentation layer, the root url )
  • Via http request (presentation layer – server side) forward access token to UAC module with csrf token
  • Manually set csrf token in session so it checks out
  • Validate access token through SDK and issue my own JWT

This violates CSRF layer. I bypassed this with manually setting the csrf token on the UAC side, and successfully gaining long lived access token from FB.

That way I can issue my own JWT and be done with it.

I am although worried that this practice (even though under HTTPS) is creating a vulnerability.

In simplest terms: I want to achieve the same functionallity as regular Oauth with these providers, but I need to split the process among two subdomains. Neither of these should have PHP session if possible.

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.