Skip to Content
Lab 3

OAuth Integration

Scenario

The “Innovate Inc.” leadership team is thrilled with the progress on the new user portal. The ability to log in with GitHub has been particularly well-received in internal demos. However, the lead security architect has raised a crucial point: while the implementation works, have we fully considered the security implications and user experience trade-offs?

Before rolling out third-party login to the public, you have been tasked with preparing a brief research document for the engineering team. Your goal is to move beyond the “how-to” of implementation and analyze the “why” and “what-if” of using OAuth 2.0 in a production environment.

Instructions

This lab is a reading and reflection exercise. There is no coding involved. Your task is to carefully read the following article on real-world OAuth vulnerabilities and then answer the reflection questions in a written document.

Task 1: Reading Assignment

Please read the following article from Doyensec’s blog. It provides a detailed overview of common OAuth flows and, more importantly, common attacks against those flows.

Focus on understanding not just what the attacks are, but how they exploit misconfigurations or weaknesses in an OAuth implementation.

Task 2: Written Reflection

After reading the article, answer the following questions in a clear and concise manner. Your total response should be between 300 and 500 words.

  1. CSRF and the state Parameter: In your own words, explain how an attacker could perform a Cross-Site Request Forgery (CSRF) attack on an OAuth flow. How does using the state parameter, as recommended, prevent this specific attack?

  2. Redirect URI Attacks: The article mentions that validating a redirect_uri by simply checking the domain or allowing subdomains is a common mistake. Describe a hypothetical scenario where a “leaky” redirect_uri validation (e.g., one that allows any path on a valid domain) could be exploited to steal an authorization code.

  3. User Experience vs. Security: Adding a third-party login option like “Login with Google” is a significant user experience improvement. However, it also introduces complexity and new potential security risks. Based on the article and your own thoughts, describe one key trade-off a development team must consider when deciding to implement OAuth. (For example, think about the balance between convenience for the user and the responsibility of the application to protect user data).

Submission

  • Create a new document (e.g., Google Doc, Word document, or a simple Markdown file in a GitHub repository).
  • Address all three reflection questions clearly.
  • Submit a link to your document.

Grading

This lab is worth 25 points. Your reflection will be graded based on the following criteria:

CriteriaDescriptionPoints
Clarity and UnderstandingYour answers demonstrate a clear understanding of the concepts presented in the article.10
Depth of AnalysisYou provide thoughtful and accurate explanations, going beyond surface-level definitions.10
Completeness and ProfessionalismAll questions are answered, and the submission is well-written, clear, and within the word count limit.5
Total25
Lesson 4: Third-Party Authentication with OAuthSBA: Secure Web Portal