Posts

Image
OpenID Connect Sample with Signature Verification ID tokens are used in OpenID Connect to sign in users into client apps. But how to validate them? Like identity cards, they contain a number of attributes or claims. These are protected with a digital signature, or message authentication code (MAC), to ensure the token’s integrity and authenticity. ID tokens carry the following claims: Subject  (sub) — identifier for the authenticated user Issuer  (iss) and  audience  (aud) — specify the IdP that created the ID token and who it is intended for (the client_id) Timestamps  - issue (iat) and expiration (exp) times Other attributes , such as authentication time, strength, a nonce, and selected user details can also be included. So, I'm going to discuss how to verify the signature of ID token with sample web application. This is an improved version of the previous app. When it comes to  validate an ID Token, an app wants to verify the signature of the token, as wel

OpenID Connect Sample web app

Image
/ OpenID Connect Sample Web App In this document, I'm trying to demonstrate OpenID Connect with a sample web application. Before doing this we need to have a good idea about OpenID Connect. So if you need to learn about OpenID Connect you can read my previous post. OpenID Connect Introduction... I'm using MiniOr ange as my O penID Connect provider. There are some steps to follow to setup the OIDC application with MiniOrange.  First, create an account on miniorange and sign in to the account. Then go to the miniOrange Administrator Console. Create an application by selecting Apps > Configure Apps. In the Application name type “OIDC”. Enter your client information(First_name,Last_name) and Save. Once you have configured the application. Please note down the clientID and client secret by going to Apps > View Apps then Select your Open Id application and click on “Edit”. Then add this redirection endpoint to the application.  Again go to the miniOrang

OpenID Connect Introduction

Image
What is OpenID Connect?? OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider (IdP), as well as to obtain basic profile information about the end user in an interoperable and REST-like manner. OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.  OpenID Connect is an increasingly common authentication protocol: when an app prompts you to authenticate using your Facebook or Google+ credentials, the app is probably using OpenID Connect. OpenID Connect allows a range of clients, including web-based, mobile, and JavaScript clients, to request and receive information about authenticating  sessions and end-users. OIDC main purpose is to authenticate user one login and allow access to multiple services which is also known a s SSO (Single Sign-On). OneLogin provides a custom connector optio

About Email Policy

ABC (Private) Limited July 30,2017 ABC Company Email Policy 1.       Overview and purpose of the policy The purpose of this policy is to make sure that the proper use of ABC Company’s email system and guide employees aware of what instruction they need to follow within the email system. Also, avoid breaching Company’s confidential data through email system in Company. This policy also provides legal actions in case of violations of the policy. 2.       Applicability This policy applies to all the company employees who have access to the company’s email system. ·          Full-time employees ·          Part-time employees ·          Independent contractors ·          Interns ·          Consultants The parties mentioned in here are responsible for all the actions they performed on email service system at any place they use service. 3.       Policy 3.1   All email accounts are the property of the company and company have all the right view, modi

RingZer0 JavaScript Challenges level 4,5 work through.....

Image
RingZer0 Challengers Challenge JavaScript: Level 04 Why not? ·          First we have to go to source code and  Looking at the page code source, we can find weak JavaScript like following. ·          We can see the username must be equal to the administrator. only seeing the source code we can identify the username. ·          Then we have to find the password. In this password must, for each character, satisfy the condition like bellow. u. charCodeAt (i) + p. charCodeAt (i) + i * 10 == k[i] ·          The password can take using that equation. ·          Then we can find password as OhLord4309111 now we can log that level. Using the administrator user name and this password. ·          Then we can get the flag. Level 05 ·          Valid Key required. ·          In this level, we have to find a key so we can go to the source code. Looking at the page source code we find the following

A Basic Comprehensive Application to Understand OAuth2.0 Authorization Code Grant Type.......

Image
There are few steps in OAuth we have to follow .... Step 1 >>   Authorization Code Link First user is given authorization code link like this. http://localhost:8081/auth/oauth/authorize? response_type=code&client_id= CLIENT_ID &redirect_uri= CALLBACK_URL &scope= write Here is an explanation of the link components: https://cloud.digitalocean.com/v1/oauth/authorize : the API authorization endpoint client_id= client_id : the application's  client ID  (how the API identifies the application) redirect_uri= CALLBACK_URL : where the service redirects the user-agent after an authorization code is granted response_type= code : specifies that your application is requesting an authorization code grant scope= write : specifies the level of access that the application is requesting. Step 2 >> User Authorizes Application When the user clicks the link, they must first log in to the service, to authenticate their identity (unless the