Security in token authorization when using other provider authentication services such as Soundcloud?

Question

Security in token authorization when using other provider authentication services such as Soundcloud?

User Login Process Using Soundcloud Connect Button

Click a button on the website and start a session with a random token generated by the api server, without user authentication in Soundcloud.
The user is redirected to the Soundcloud authentication page (Soundcloud login page).
The user must enter their Soundcloud account.
After clicking connect, the method called on the api side creates the user and its authentication according to the parameters sent from SoundCloud. And the api server redirects the user to the home page, and the script on the clients sets the token in the headers as authorization to the website.

Now my task is to start the session before the user connects through soundcloud, even if users cannot enter the home page without connecting to SoundCloud.

Is this user authentication technology secure or not? What are the potential attacks?

+4

security authentication session-storage http-token-authentication soundcloud

cengo Jan 16 '15 at 18:50

source share

1 answer

0x90 · Answer 1 · 2015-07-21T08:56:58+0000

This approach will make you vulnerable to commit session.

The attack scenario is as follows:

The user attacks the user's tricks using a known session key (usually through other vulnerabilities such as XSS).
The user authenticates with SoundCloud, the session key remains intact
, .

, - .

Security in token authorization when using other provider authentication services such as Soundcloud?

More articles: