A few important facts regarding OAuth security¶
- OAuth without SSL is a Bad Idea™ and it’s strongly recommended to use
- SSL for all interactions both with your API as well as for setting up tokens. An example of when it’s especially bad is when sending POST requests with form data, this data is not accounted for in the OAuth signature and a successful man-in-the-middle attacker could swap your form data (or files) to whatever he pleases without invalidating the signature. This is an even bigger issue if you fail to check nonce/timestamp pairs for each request, allowing an attacker who intercept your request to replay it later, overriding your initial request. Server defaults to fail all requests which are not made over HTTPS, you can explicitly disable this using the enforce_ssl property.
- Tokens must be random, OAuthLib provides a method for generating
- secure tokens and it’s packed into
oauthlib.common.generate_token
, use it. If you decide to roll your own, usesecrets.SystemRandom
for Python 3.6 and later. Thesecrets
module is designed for generating cryptographically strong random numbers. For earlier versions of Python, userandom.SystemRandom
which is based onos.urandom
rather than the defaultrandom
based on the efficient but not truly random Mersenne Twister. Predictable tokens allow attackers to bypass virtually all defences OAuth provides.
- Timing attacks are real and more than possible if you host your
- application inside a shared datacenter. Ensure all
validate_
methods execute in near constant time no matter which input is given. This will be covered in more detail later. Failing to account for timing attacks could enable attackers to enumerate tokens and successfully guess HMAC secrets. Note that RSA keys are protected through RSA blinding and are not at risk.
- Nonce and timestamps must be checked, do not ignore this as it’s a
- simple and effective way to prevent replay attacks. Failing this allows online bruteforcing of secrets which is not something you want.
- Whitelisting is your friend and effectively eliminates SQL injection
- and other nasty attacks on your precious data. More details on this in the
check_
methods.
- Require all callback URIs to be registered before use. OAuth providers
- are in the unique position of being able to restrict which URIs may be submitted, making validation simple and safe. This registration should be done in your Application management interface.