授权码授予授权协议中的OAuth-2.0瓶颈

Question

Consider OAuth-2.0 Authorization Code Grant protocol.

As described in standard draft http://tools.ietf.org/html/ietf-oauth-v2-26 on Figure 3 : Authorization Code Flow a Client is getting token on behalf of Authorization Code received from User-Agent . Suppose that User-Agent is intentionally sending wrong codes to the Client . If Authorization Server makes some protection against brute force way of obtaining Access Token by banning Client for some reasonable amount of time (by IP or by Redirection URI host name). If in our case the Client is supposed to process horde of requests from multiple different User-Agent's the Client will stop to serve all its users altogether if there's only one malicious one exists.

So the Client becomes a bottleneck in a situation described above.

==== EDITED ==== Any ideas how to evade the bottleneck problem?

Answer 1

I believe you're asking: "how to evade this problem and NOT to expose Authorization Code to User-Agent?"

This is not possible. The OAuth request flows through the user's browser so you can't prevent exposing the authorization code to the user.

If you're a victim to an attack like this, I'd suggest putting the same protection into your Client that the OAuth provider is putting into their Authorization Server. Namely, stop allowing new authorization codes to be sent from a User-Agent that's abusing your service. If they send more than, say, 3 invalid tokens per hour, ban them for an hour or two (by IP address). Of course, this could lead to you denying access to your site from proxy servers because of one bad user on the proxy, but that's life.