OAuth1: CSRF / user consent security issues

[MikeN123]

Hi,

I'm currently having some issues with the OAuth1 module (trunk version). I'm trying to run the sparklr application, and run into some issues, all involving the user consent/approval.

My test client gets a request token at /oauth/request_token, which all goes well.

I then visit /oauth/authorize?oauth_token=<token>, which is looking for a requestToken parameter, and throws an InvalidOAuthTokenException. This causes a destroy of any existing authentication, and a redirect to /oauth/confirm_access (without the token...). Since the token is missing, I can't give consent (and because of the earlier authentication exception, I always have to relogin). If I visit /oauth/confirm_access?oauth_token=<token> manually all works well.

A much bigger issue though, is that is seems there are not any checks on the /oauth/authorize request. If I visit /oauth/authorize?requestToken=<token> directly, my token is authorized and I'm redirected back to the consumer. An evil consumer could use this to get user tokens without their consent, a _major_ CSRF issue.

Am I missing something here, or is the user approval flow of the OAuth1 module seriously flawed and a big security risk?

[Dave Syer]

OAuth1 is not a big priority for me, so unless someone cares enough to look into this you are out of luck in the short term at least. You can raise a JIRA ticket, but the only way to guarantee progress is to submit a fix yourself.

[MikeN123]

Well, before fixing it myself, it would be nice to know if my conclusions are right or if I'm doing something wrong.

It may also be a good idea to warn users of the security implications, which are huge if there is no validation done by the authorize URL.