{
  "id": "security/oauth2-authorization-code-interception-via-reverse-proxy",
  "signature": "OAuth2 authorization code intercepted by reverse proxy due to missing TLS termination at proxy",
  "signature_zh": "OAuth2授权码因反向代理缺少TLS终结而被截获",
  "regex": "Authorization code intercepted|OAuth2.*plaintext|TLS termination missing",
  "domain": "security",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "When a reverse proxy terminates TLS but forwards plain HTTP to the backend, the authorization code is transmitted in cleartext on the internal network, allowing any process on that network segment to intercept it.",
  "root_cause_type": "generic",
  "root_cause_zh": "当反向代理终止TLS但向后端转发明文HTTP时，授权码在内部网络上以明文传输，允许该网段上的任何进程截获它。",
  "versions": [
    {
      "version": "OAuth2 2.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.24.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Apache HTTP Server 2.4.57",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Spring Security 6.1.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Adding HTTPS certificate to the backend server without changing proxy configuration",
      "why_fails": "The proxy still forwards HTTP; backend HTTPS doesn't protect the wire between proxy and backend.",
      "fail_rate": 0.95,
      "condition": "",
      "sources": []
    },
    {
      "action": "Using a self-signed certificate on the backend to force HTTPS termination at backend",
      "why_fails": "Self-signed certs cause backend SSL errors; the proxy may still strip TLS or fail to forward.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off;",
      "success_rate": 0.95,
      "how": "Configure reverse proxy to terminate TLS at the proxy and re-encrypt traffic to backend (e.g., nginx proxy_pass with HTTPS). Example: proxy_pass https://backend:443; proxy_ssl_verify off;",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use mTLS between proxy and backend to ensure encrypted channel even on internal network.",
      "success_rate": 0.85,
      "how": "Use mTLS between proxy and backend to ensure encrypted channel even on internal network.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "配置反向代理在代理处终止TLS并重新加密到后端的流量（例如，nginx proxy_pass使用HTTPS）。示例：proxy_pass https://backend:443; proxy_ssl_verify off;",
    "在代理和后端之间使用mTLS，确保即使在内部网络上也有加密通道。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://oauth.net/2/grant-types/authorization-code/",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.92,
  "resolvable": "true",
  "first_seen": "2024-03-12",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}