OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Security is primarily a way of thinking and under this token this presentation mainly revolves around understanding the various terminologies and security concepts employed by the OAUTH 2.0 specification (http://tools.ietf.org/html/rfc6749). These will be contrasted with the actual implementation thereof by Google, Facebook, etc.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
APIdays San Francisco 31 Jul 2018
https://oauth.io
Describe what, why and how of OAuth2
Provide an easy way to remember all OAuth2 grant types/flow through a 'spot the difference' image comparing all the 4 grant types.
Provide a quick reference showing all the steps in all OAuth2 grant types side-by-side.
Introduce the new identity layers in OAuth2 that offer authentication on top of authorization - OpenId Connect and IndieAuth
Describes the role of OAuth.io in:
1. Standardizing all the different OAuth2 implementations of different providers, e.g., Facebook, Twitter, etc., by hiding them behind OAuth.io's API endpoints
2. Accelerating adoption of new OAuth2 standards by providing a shim layer to implement those standards on behalf of OAuth providers
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc
Constructing a successful and simple API is the lifeblood of your developer community, and REST is a simple standard through which this can be accomplished. As we construct our API and need to secure the system to authenticate and track applications making requests, the open standard of OAuth 2 provides us with a secure and open source method of doing just this. In this talk, we will explore REST and OAuth 2 as standards for building out a secure API infrastructure, exploring many of the architectural decisions that PayPal took in choosing variations in the REST standard and specific implementations of OAuth 2.
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
Web Based APIs have become a powerful tool for reaching end users in an increasingly fragmented market. The emergence of public and private APIs have introduced new challenges in identity management and access control. Attend this session to get a crash course in Web APIs, the risks they introduce and the emerging standards that can make them safer to use (including OAuth 2 and Open ID Connect)
If you've ever written any code to authenticate wtih Twitter, you may have been confused by all the signature methods and base strings. You'll be happy to know that OAuth 2 has vastly simplified the process, but at what cost?
This talk will give an overview of the OAuth 2 spec, starting with the various options the standard gives to developers for building web apps and native apps. We'll look at what the end user sees, work our way to what developers using an OAuth 2 API deal with, and we’ll end up at what developers of OAuth-2-compliant APIs will need to know to successfully implement the standard.
Many large providers have recently deployed APIs using OAuth 2, including Facebook, Foursquare, Google, and more. But since OAuth 2 is technically still a "draft," many aspects of the spec change from month to month and it's sometimes hard to keep up. We'll cover the commonalities and differences between some of the major providers and draft versions. The security implications of some of the changes between versions 1 and 2 will be covered, along with recommendations for best practices. You'll also get a glimpse of the debates currently raging on the internal OAuth 2 mailing list.
Presented at Open Source Bridge 2011
http://opensourcebridge.org/sessions/686
Current list of OAuth 2 Providers
http://aaronparecki.com/The_Current_State_of_OAuth_2
REST Service Authetication with TLS & JWTsJon Todd
Many companies are adopting micro-services architectures to promote decoupling and separation of concerns in their applications. One inherent challenge with breaking applications up into small services is that now each service needs to deal with authenticating and authorizing requests made to it. We present a clean way to solve this problem Json Web Tokens (JWT) and TLS using Java.
OAuth 2.0
Oauth2.0 is an “authorization” framework for web applications. It permits selective access to a user’s resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
Oauth 2.0 Introduction and Flows with MuleSoftshyamraj55
Learn about the basics of OAuth 2.0 and the different OAuth flows in this introductory video. Understand how OAuth works and the various authorization mechanisms involved.
1. Intro - Auth - Authentication & Authorization & SSO
2. OAuth2 in Depth
3. Where does JWT fit in ?
4. How to do stateless Authorization using OAUTH2 & JWT ?
5. Some Sample Code ? How easy is it to implement ?
An introduction to OAuth 2.0 from a Salesforce perspective to establish the foundations of OAuth 2.0. Discusses the key concepts of Authentication and Authorization and distinguishes the two. Also discusses Open ID connect.
As part of MobiliYa Spread Knowledge Initiative Presentation Series.
Agenda
1.Intro -Auth-Authentication & Authorization & SSO
2.OAuth2 in Depth
3.Where does JWT fit in ?
4.How to do stateless Authorization using OAUTH2 & JWT ?
5.Some Sample Code ? How easy is it to implement ?
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in-depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to get the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Ladies Be Architects - Study Group III: OAuth 2.0 (Ep 1)gemziebeth
Join us as we look into OAuth 2.0 to help us study for the Identity and Access Management Designer certification exam. Episode 1 covers the principles of OAuth 2.0
OAuth 2.0 for developers - the technology you need but never really learned. This presentation acts as a simple, easy to digest, introduction to the OAuth 2.0 protocol as well as a practical guide for administrators of IBM Connections and developers developing solutions for IBM Connections.
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
An introduction to the OAuth 2.0 protocol for developers and information on how to register apps in on-prem IBM Connections and IBM Connections Cloud. A narrated recording of the demo is available on Youtube here >> http://www.youtube.com/watch?v=Sqt8KZ0jnC4
Slides for my presentation about OAuth, going in depth in the details of the Authorization Code Grant and PKCE, also describing several security threats to OAuth
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry BuzdinJava User Group Latvia
Have you ever wondered how single-sign-on on sites like Google and Facebook works? Are you a fan of stateless application architectures? Do you want to learn how to put together a modern security approach for your next Spring Boot project? If the answer is yes, to anything above, then this session is for you. Dmitry will explain what is OAuth 2.0 and JWT, why are they popular, and how to integrate them in Java project.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
This was the slide representation for my training session at OWASP Seasides 2020. This entails all the workflow for the session, but please understand that this is not a lab manual and won't entail the details on Step-by-step execution of the attack. You can find my youtube video pertaining to this session here
https://www.youtube.com/watch?v=ZhZAKWpykTo
This presentation deals with different scenarios in attacking applications vulnerable to Buffer overflow by exploiting the default SEH chain, by the SEH overwrite
This is the most basic presentation introducing to the concepts of kubernetes this presentation only solves the mundane purpose as a visual aid to the session
This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box
This along with the binaries to be found at my github profiles @ github.com/shahenshah99 is used to present and conduct a hands-on session on securely deploying containers in docker at the time of production
This is in regards with the session that I have been holding at Null Bangalore. This session aims at providing basic understanding of Buffer Overflow to the attendees preparing for OSCP
This presentation is in regards with the talk that I gave at null monthly meet. This covers various grounds for covering cryptography. There are numerous ways to attack the methodology of any cryptographic content. The uploaded slides serve the same
This Presentation was for my talk at Null on Steganography using Python. This only serves as a on screen ppt to the talk. In order to understand this in-detail please follow my page to find the code
This is the slide check that I prepared for Null Pulliya session. I had prepared this presentation with the usage and the depth of coverage of GDB for any typical reverse engineer to have in his/her arsenal
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
5. Click to edit Master title style
5
Resource owner
The resource owner is simply the user that is interested
in granting a registered OAuth application to access their
account.
The extent to which the user data can be accessed is
defined by scope. Different scope results in different
kinds of OAuth 2.0 permission dialogs.
5
6. Click to edit Master title style
6
Client
In layman's terms, a client is simply an application
registered to the provider (say Facebook/Google+)
and is used by the third party (say Adobe) to access
or manipulate a user's or resource owner's data .
This concludes that a client is merely an application
which allows the third party to request on behalf of
the resource owner to the OAuth provider.
6
7. Click to edit Master title style
7
Authorization server
An authorization server is capable of granting or
denying a client an access token. The authorization
server authenticates the resource and, generally
through various interactions, issues an access token
to the client if everything goes well.
A resource server and authorization server are closely
knit and when in the same web application, often
referred to as an OAuth API.
7
8. Click to edit Master title style
8
Application
The application or client must be
registered on the OAuth provider's
website. Once the registration is
done, an application is assigned a
unique identifier called the client ID
8
9. Click to edit Master title style
9
Redirect URI
Every application must redirect to a pre -
determined URI once the OAuth flow is
complete. By default, the authorization server
rejects redirect-URI mismatches between
application configuration and the actual one
provided. The redirect URI is a crucial
component of the OAuth flow, and hijacking
this can result in nasty outcomes, which we'll
see in upcoming sections of this chapter.
9
10. Click to edit Master title style
10
Access Tokens
An access token is a secret token
allotted to the application and is tied
to a particular user with specific
permissions. The resource server
expects an access token every time a
request is made to it.
10
11. Click to edit Master title style
11
Client ID
The client ID is a unique identifier that is returned
when the application is registered successfully. It
is not secret information and is crucial in the
working of Oauth applications. Different Oauth
implementations refer to the client ID differently,
for example, Application ID.
11
Client ID provided by Facebook for a dummy Oauth application
12. Click to edit Master title style
12
Client Secret
Client secret is a unique token generated
during the registration process and is tied
to the client ID. As the name suggests, a
client secret is private information and
shouldn't be exposed. It is used internally
while generating access tokens
12
13. Click to edit Master title style
13
Receiving Grants
OAuth 2.0 basically allows a third party website to
access a limited or selective set of user information
on a particular website.
There are different kinds of authorization flows,
two common ones of which are as follows:
• Authorization grant
• Implicit grant
13
14. Click to edit Master title style
14
Authorization Grants
h t t p s : / / w w w. e x a m p l e . c o m / o a u t h / a u t h o r i z e ? r e s p o n s e _ t y p e = c o d e & c l i e n t _ i d
= C L I E N T _ I D & r e d i r e c t _ u r i = C A L L B A C K _ U R L & s c o p e = r e a d
14
Let's break down the different components here:
• response_type: When set to code, the OAuth authorization server expects
the grant to be of authorization grant type.
• client_id: This is the client ID/app ID of the application.
• redirect_uri: This contains a URL in percent-encoded form, and after the
initial flow is complete, the authorization server redirects the flow to the
specified URL.
• scope: This refers to the level of access needed; this is implementation
specific and varies.
15. Click to edit Master title style
15
Following link for example
https://www.example.com/oauth/authorize?client_id=2190698099&redire
ct_uri=https%3A%2F%2Ffacebook.com%2Fredirect&response_type=co
de&scope=read
As soon as the user allows the permission, the page redirects to the
following:
https://facebook.com/redirect?code=af8SFAdas
Here, we see the code parameter, which contains the authorization grant
code generated by the authorization server. Now this can be exchanged
for an access token; this is generally done server side and a client
secret must be involved.
Access Token = Auth Code + Client ID + Client Secret + Redirect URI
15
16. Click to edit Master title style
16
https://www.example.com/ /oauth/token?client_id=2190698099&client_
secret=adb12hge&grant_type=authorization_code&code=af8SFAdas&r
edirect_uri= https%3A%2F%2Ffacebook.com%2Ftoken
Now the token is returned to https://facebook.com/token in JSON
format, such as the following:
{ "access_token":" EAACEdEose0cBAE3vD" }
16
17. Click to edit Master title style
17
Implicit Grants
The i m pli c i t gra nt i s a c o m m o n wa y to a c c es s to kens i n web a nd
mobi le appli cati ons.
Thi s gra nt do es n't requi re a n endpo i nt o n the c li ent to c a ll s upply -
a utho ri za ti on c o de a nd c li ent s ec ret to then rec ei ve the a c c es s
to ken.
The i m pli c i t gra nt li nk lo o ks li ke the fo llo wi ng:
https :/ / www.ex a mple.co m /o auth/ autho ri ze?res pons e_ type= to ken&c
li ent_ i d= CL IEN T_ ID&redi rect_ uri = CALLB ACK_URL &sc ope=rea d,wri te
If the a utho ri za ti on i s c o m pleted s uc c es s fully then,
https :/ / fa cebo o k.c om /token# access_to ken=EAACEdEo se0cBAE3vD
So n o w the third party can co m m u n icate with the reso u rce server
usin g the fo llo win g to ken .
17
18. Click to edit Master title style
18
EXPLOITING OAuth 2.0
18
Open redirect – the malformed URL
Our exploit page is located at -> http://exploit.example.com/
we consider a trusted website to be -> http://trusted.com
Directly giving the exploit link to the users won’t work but then
sending a redirect from trusted.com might work, because the
users trust that website. If the trusted.com site has an Oauth
server running, then all you have to do is register at over there
and get a client ID, set the redirect Uri as our exploit page ->
exploit.example.com
https://api.trusted.com/oauth2/authorization?response_
type=code&client_id=75e7i92lbwy4p4&scope=read&redirect_
uri=https%3A%2F%2Fexploit.example.com/
19. Click to edit Master title style
1919
Open redirect – the malformed URL
Different providers have their own implementations of OAuth
2.0, this gives way to a scenario in which a malformed grant
link (non-existent or garbage values for scope, client_id and so
on) results in the server redirecting the user to the redirect_uri
parameter which we set earlier, that is, the exploit page.
Malformed value in scope:
https://api.trusted.com/oauth2/authorization?response_
type=code&client_id=75e7i92lbwy4p4&scope=blahblahblah&re
direct_uri=http://exploit.example.com/
Malformed value in client_id:
https://api.trusted.com/oauth2/authorization?response_
type=code&client_id=idontexistbro&scope=read&redirect_uri=
http://exploit.example.com/
20. Click to edit Master title style
20
Response:
http://exploit.example.com/?error=invalid_scope&error_d
escription=The+scope+of+%22blahblahblah%22+is+unknown
%2E+Please+check+that+it%27s+property+spelled+and+a+va
lid+value%2E#!
But regardless of the error params, the page is still redirected. This is
the beauty of this attack. This may not always work, it varies from
implementation to implementation. The correct way to address this
thing on the provider side is to show an error message on the provider
domain (authorization server) itself rather than redirecting.
This flaw was present in LinkedIn until last year.
21. Click to edit Master title style
21
Hijacking the OAuth
flow – fiddling with
redirect URI
the inherent risks involved in using redirect_uri in a grant situation where it
can be made to redirect to a different location than the one allowed, thereby
hijacking the access tokens.
The application is set to allow only redirect_uri =
http://example.com/token/callback. Then we can use certain tricks to
circumvent the checks and hijack the tokens to our (hijacker's) domain or file.
22. Click to edit Master title style
22
Directory traversal
tricks
Directory traversal tricks assume that we can save certain files of our choice
under the allowed domain; this case is common in web applications which
allow uploading of files
The following are the URLs which can effectively bypass the validation if
traversals are not considered:
http://example.com/token/callback/../../our/path
http://example.com/token/callback/.%0a./.%0d./our/path
http://example.com/token/callback/%252e%252e/%252e%252e/our/path
/our/path///../../http://example.com/token/callback/
http://example.com/token/callback/%2e%2e/%2e%2e/our/path
23. Click to edit Master title style
23
Domain tricks
As mentioned earlier, if the allowed redirect_uri
is http://example.com/token/callback , we use
the following two set tricks related to domains.
24. Click to edit Master title style
24
Naked Domain
This means the correct redirect_uri is a naked
domain, that is, the subdomain is not specified.
Some implementations allow subdomains when there
is a case of naked domain. One such flaw was
discovered in Facebook, which had one of its Oauth
applications misconfigured in the MailChimp service.
Example of bypasses if naked domain is specified:
https://controlledsubdomain.example.com/token/call
back
https://www1.example.com/token/callback
https://files.example.com/token/callback
25. Click to edit Master title style
25
TLD Suffix confusion
We can bypass certain checks if a suitable top -level domain is
specified. We can bypass the redirect_uri with a .com TLD by
replacing it with a suffix such as .com.mx .com.br.
Examples :
Original Suffixed
http://example.com/token/callback
http://example.com.mx/token/callback
http://example.org/token/callback
http://example.org.in/token/callback
The basic idea here is to just leave the domain asis so that the
authorization servers validate it and append a valid suffixed
TLD to bypass the check.
This issue has been discovered in the OAuth implementation of
Instagram and Slack.
• Slack: https://hackerone.com/reports/2575
26. Click to edit Master title style
26
Flow hijack through open redirect on client
Sometimes it's easy to find an open redirect on the client
website (third party) and/or its subdomains which is allowed
in the application configuration. We can exploit this in an
implicit grant scenario where access tokens will be redirected
to the attacker's domain through a 302 redirect.
Redirect:http://www.example.com/exit/redirect.php?u=http:// w
ww.google.com
Exploit:redirect_uri=http ://www.example.com/exit/redirect.php
?u=http://exploit.com/token/callback
The access tokens will now be passed to
exploit.com/token/callback. This technique is widely known,
and generally dubbed, as Covert Redirect.
27. Click to edit Master title style
27
Force a malicious app installation
F o o l i n g t h e u s e r t o c l i c k o n t h e a l l o w b u t t o n w i t h o u t t h e m
u n d e r s t a n d i n g i t . T h e r e b y g r a n t i n g u s a l l t h e p e r m i s s i o n s –
c l i c k j a c k i n g .
T h e o n l y i s s u e t h a t m i g h t b e f a c e d i s : T h e p a g e s h o u l d
a l l o w X - F R A M E - O P T I O N S h e a d e r. i . e . t h e p a g e s h o u l d b e
f r e e o f a n y f r a m e - b u s t i n g c o d e .
Credits: http://www.bubblecode.net
28. Click to edit Master title style
2828
Links for more study on Oauth 2.0
https://techzone.ergon.ch/oauth-307Redirect-idpMixUp/
http://www.oauthsecurity.com/
http://homakov.blogspot.com/
http://isciurus.blogspot.com/
http://bubblecode.net/