• caglararli@hotmail.com
  • 05386281520

Is OAuth 1 less secure than OAuth 2 in an SPA

Çağlar Arlı      -    69 Views

Is OAuth 1 less secure than OAuth 2 in an SPA

We are writing a pure javascript front-end (in angular) for an API that still uses OAuth 1 for legacy reasons. Being pure javascript means the consumer secret is part of the code that gets downloaded at the start, before authentication, and therefore easily known to an attacker.

This secret is used in calculating the authentication codes together with the token secret, and the token (and the authentication exchange) is protected by TLS and in-browser sandboxing in the same way the bearer token would be if we switched to OAuth 2, which does not encrypt the bearer token at all.

So by revealing the client secret, are we creating any additional attack surface compared to OAuth 2, or is it simply equivalent?

In other words, provided the same methods of protecting the communication and the authorization/access token delivery are used, is there an attack that is viable against OAuth 1 with leaked client secret that is not viable against OAuth 2 with no client secret in SPA mode?