Security warning to be alert for phishing attacks

[plotnick]

Target component

• CLI
• SDK
• Something else
• Not sure

Overview

Recent attacks in the wild have targeted the same kind of device-code authentication scheme that we use in the Oxide CLI. This seems worth noting in, say, the authentication guide section of the docs; e.g., warning the user to be alert for suspicious messages containing links to the authentication server.

Implementation details

No response

Anything else you would like to add?

No response

[inickles]

Warnings in documentation are fine, though I think the primary fix here should be to include an explicit authorization prompt after the user successfully enters a device code. This is recommended by the RFC 8628 OAuth 2.0 Device Authorization Grant:

The authorization server prompts the end user to identify the device authorization session by entering the "user_code" provided by the client. The authorization server should then inform the user about the action they are undertaking and ask them to approve or deny the request. Once the user interaction is complete, the server instructs the user to return to their device.

-- https://www.rfc-editor.org/rfc/rfc8628.html#section-3.3

Right now, there is no prompt provided after the user supplies the code, authorization is complete.