docs/oauth1/security.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46

A few important facts regarding OAuth security
==============================================

    * **OAuth without SSL is a Bad Idea™** and it's strongly recommended to use
        SSL for all interactions both with your API as well as for setting up
        tokens. An example of when it's especially bad is when sending POST
        requests with form data, this data is not accounted for in the OAuth
        signature and a successfull man-in-the-middle attacker could swap your
        form data (or files) to whatever he pleases without invalidating the
        signature. This is an even bigger issue if you fail to check
        nonce/timestamp pairs for each request, allowing an attacker who
        intercept your request to replay it later, overriding your initial
        request. **Server defaults to fail all requests which are not made over
        HTTPS**, you can explicitly disable this using the enforce_ssl
        property.

    * **Tokens must be random**, OAuthLib provides a method for generating
        secure tokens and it's packed into ``oauthlib.common.generate_token``,
        use it. If you decide to roll your own, use ``secrets.SystemRandom``
        for Python 3.6 and later. The ``secrets`` module is designed for
        generating cryptographically strong random numbers. For earlier versions
        of Python, use ``random.SystemRandom`` which is based on ``os.urandom``
        rather than the default ``random`` based on the efficient but not truly
        random Mersenne Twister. Predictable tokens allow attackers to bypass
        virtually all defences OAuth provides.

    * **Timing attacks are real** and more than possible if you host your
        application inside a shared datacenter. Ensure all ``validate_`` methods
        execute in near constant time no matter which input is given. This will
        be covered in more detail later. Failing to account for timing attacks
        could **enable attackers to enumerate tokens and successfully guess HMAC
        secrets**. Note that RSA keys are protected through RSA blinding and are
        not at risk.

    * **Nonce and timestamps must be checked**, do not ignore this as it's a
        simple and effective way to prevent replay attacks. Failing this allows
        online bruteforcing of secrets which is not something you want.

    * **Whitelisting is your friend** and effectively eliminates SQL injection
        and other nasty attacks on your precious data. More details on this in
        the ``check_`` methods.

    * **Require all callback URIs to be registered before use**. OAuth providers
        are in the unique position of being able to restrict which URIs may be
        submitted, making validation simple and safe. This registration should
        be done in your Application management interface.