Fix web popup Oauth #143
Fix web popup Oauth #143
Conversation
|
Hi @danReynolds, thank you for pointing out the problem and for suggesting a workaround. I'm open to suggestions from anyone who has any ideas! |
|
Hello! I am also interested on this topic, since when I just started using this library on web I realized the same. This approach for me works fine, but I am also aware that is not the best solution in terms of security. Is it planned to merge this PR in the near future? Thank you! |
|
Any news here? We tried opener, but got blocked my COOP. |
4 participants
The current implementation of the popup-based web OAuth handoff is broken on browsers that enforce a same-origin COOP policy (cross origin opener policy) since the window.opener value in the spawned popup will be null and the parent's access to the window.closed as described here: https://web.dev/why-coop-coep/#coop. The current implementation in this lib relies on an onMessage event from the popup which similarly is blocked by COOP.
This means that the opener has no way of knowing when the Oauth redirect has occurred and can not access the code returned from the OAuth handoff in order to finish the flow.
This security feature has shipped and is the default behavior in major browsers like Chrome and Firefox as noted here https://bugs.chromium.org/p/chromium/issues/detail?id=1221127 and I've run into this problem firsthand using oauth2_client in Chrome.
I don't have a great fix at this time, the only thing that has worked for me is to use localStorage to pass the code between the popup and the opener but I recognize that storing sensitive data in local storage like the Oauth code is a vulnerability for any malicious JS code that can access it on your domain. I've held off on shipping anything to a production app until I can get a read from folks on if there is a better alternative.
Let me know what people think, I'm interested in exploring the solutions here further.
Thanks