Why doesn't OAuth/OpenID Connect use window.open() and postMessage() instead of redirects

Question

I needed a way to sync user data across multiple domains that I own, so I figured I might as well implement an OAuth server, since others have already spent lots of effort in making sure its design is secure.

But it occurred to me that there are a lot of steps needed to securely deliver the access token to a client. Specifically PKCE and sending a code which can be exchanged for a token, rather than sending the token directly.

So I was wondering why the OAuth spec doesn't recommend that the token gets transferred via window.opener.postMessage() instead. This seems a lot less complex since you don't need a dedicated callback url, and it comes with the benefit that you can call window.close() so the user doesn't end up with multiple tabs and the state of their existing tab isn't lost. On top of that, you can use the targetOrigin parameter of postMessage() to ensure that the token ends up with the exact same domain that requested it in the first place.

Of course this wouldn't hold for server apps, since it would be safer to not send any access token to the client at all in that case, but for SPAs this seems a lot less complex and maybe even more secure.

Either way, this all seems a bit too good to be true to me. If it really was this straight forward, surely OAuth/OpenID Connect would have used this method in their recommendations.

So I was wondering if someone could point out a major reason why this approach couldn't be possible. Is it simply that OAuth/OpenID Connect was created during a time with fewer browser capabilities or is there something obvious I'm missing?

Answer 1

It's technically possible to implement an OAuth-like workflow with window.open(), but it would have been very unwise to use this instead of redirects in the OAuth procotol:

• OAuth is supposed to be a generic protocol which works in many different scenarios. Relying on window.open() would require the user agent to support JavaScript and the authorization server to provide suitable JavaScript code. This may be acceptable in some cases, but it's far less universal than a redirect-based approach which only uses basic HTTP and doesn't require JavaScript at all.
• There are major accessibility concerns regarding window.open(). For example, even user agents which have JavaScript enabled often block JavaScript-triggered windows by default, because this feature has been abused far too often in the past.
• OAuth purposely avoids specifying low-level details. For example, it doesn't even say how exactly the redirect should be implemented (a 302 status code is only used as in example). In comparison, your approach would require the specification to explicitly name individual JavaScript calls, making it longer and more complex.

Answer 2

oAuth is an authorization protocol, Open ID Connect (OIDC) is an authentication protocol on top of oAuth 2.

Both are designed for multiple usecase, SPA being only one of them. SPA’s have a singular problem though, you cannot trust the client.

Postmessage doesn’t magically solve this problem and you just diluted the security you had. For such a setup you would need a service worker that would handle the Auth process. Something that might just be as secure as a MPA solution with server side Auth.

Also consider that you need to do some hefty amount of crypto to properly verify the proces, on top of the crypto of the transport layer.

Finally, the JavaScript engine isn’t designed to have postmessage as a secure communication channel, meaning it’s ill suited to communicate secret information over it. Secrets like authentication tokens. Something that your suggestion would require. And a problem not present in the current solution with multiple request.