A Basic Comprehensive Application to Understand OAuth2.0 Authorization Code Grant Type.......

-


Image result for OAuth



There are few steps in OAuth we have to follow ....

Step 1 >>  Authorization Code Link

 First user is given authorization code link like this.
http://localhost:8081/auth/oauth/authorize?response_type=code&client_id=CLIENT_ID
&redirect_uri=CALLBACK_URL&scope=write

Here is an explanation of the link components:
  • https://cloud.digitalocean.com/v1/oauth/authorize: the API authorization endpoint
  • client_id=client_id: the application's client ID (how the API identifies the application)
  • redirect_uri=CALLBACK_URL: where the service redirects the user-agent after an authorization code is granted
  • response_type=code: specifies that your application is requesting an authorization code grant
  • scope=write: specifies the level of access that the application is requesting.

Step 2 >> User Authorizes Application


When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize or deny the application access to their account. Here is an example authorize application prompt:

Step 3 >> Application Receives Authorization Code


If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. 

http://localhost:9999/oauth/access/?code=AUTHORIZATION_CODE

Step 4 >> Application Requests Access Token

The application requests an access token from the API, bypassing the authorization code along with
 authentication details, including the client secret, to the API token endpoint.

Here is an example POST request to Cyber Techies token endpoint:

 http://localhost:8081/auth/oauth/token?client_id=CLIENT_ID
   &client_secret=CLIENT_SECRET
     &grant_type=authorization_code&code=AUTHORIZATION_CODE
       &redirect_uri=CALLBACK_URL

Step 5>>  Application Receives Access Token

If the authorization is valid, the API will send a response containing the access token (and optionally, a refresh token) to the application. The entire response will look something like this:

{"access_token":"ACCESS_TOKEN",
"token_type":"bearer",
"expires_in":5184000,
"refresh_token":"REFRESH_TOKEN",
"scope":"read","uid":415478911,
"username":{"name":"chathu",
 "password":"ABC123"}}

Using this token we can take granted information as a user. this token will expire after 60 days.user can only read the information.


How it works in real application?


How i'm going to access my Facebook account using third party application called bunny cyber tach.

I'm using tomcat server site and used spring boot to run my Authorization server, resource server and client app. 

Authorization server >> localhost:8081
Resource server >> localhost:8082
Client app >> localhost:9999

In client app there is option call login with facebook. so we can click that option.


After clicking login  with facebook it will redirect another page.  It ask user name and password. In that we have to give user name and password.

Then it redirect in to another page it ask OAuth approval. In that we can click the approval button.




After  clicking approval it gives the authorization code in url.

Now we have authorization code. so using that code we can take thae access token. In that I used the another application for help it call ' REST_CLIENT'.

First, type you're the URL like given below for your token and make it as post request. After that, you need to add two headers.




Using base64 we have to encode the client Id and authorization code (CLIENTID+CLIENT CREDENTIAL).


After that in rest_client add the encoded as body and click send.


Then it ask the user it and the password since giving that we can take the Access-token. Using access token we can access the resources.


make the resource request to the resource server. that HTTP GET request header should have token type and value.Give your URL and make it as getting request and add a header as Authorization and make it as value Barer 'Access Token'.
Now You will get the requested resources from resources server. change the id to view all resources.
sample request


Yuu can get the code to click here


Comments

Post a Comment

Popular posts from this blog

How to hack windows 2000 using nessus.....

-
Image
What is nessus? Nessus  is a propriety vulnerability scanner developed by tenable network. It is free of charge for personal use in a non-enterprise environment. We use kali Os to hacking windows server, to testing vulnerabilities . ·          In Linux we have to search both Os are in the same network. And search the ip address of each systems.              ·          To windows :Open the terminal and type “ipconfig”                                     ·          To Linux : Open terminal and type      “ifconfig”                                   ·          Ten now we have both ip addresses. Using ping command can check the connection between        each        other.                                     Ex: ping 192.168.55.99 ·          Then both are connected we can start the nessus and can find the vulnerabilities. ·                                        Using “service ness
Read more

OpenID Connect Introduction

-
Image
What is OpenID Connect?? OpenID Connect is a simple identity layer built on top of the OAuth 2.0 protocol, which allows clients to verify the identity of an end user based on the authentication performed by an authorization server or identity provider (IdP), as well as to obtain basic profile information about the end user in an interoperable and REST-like manner. OpenID Connect specifies a RESTful HTTP API, using JSON as a data format.  OpenID Connect is an increasingly common authentication protocol: when an app prompts you to authenticate using your Facebook or Google+ credentials, the app is probably using OpenID Connect. OpenID Connect allows a range of clients, including web-based, mobile, and JavaScript clients, to request and receive information about authenticating  sessions and end-users. OIDC main purpose is to authenticate user one login and allow access to multiple services which is also known a s SSO (Single Sign-On). OneLogin provides a custom connector optio
Read more

About Heartland Payment System Cyber Attack

-
Image
About Heartland Payment System Cyber Attack On August 13, 2009, the Payment Cards Center hosted a workshop examining the changing nature of data security in consumer electronic payments. The center invited the chairman and CEO of Heartland Payment Systems, Robert Carr, to lead this discussion & to share his experiences stemming from the data breach at his company in late 2008 and, as important, to discuss lessons learned as a result of this event. Carr acknowledged that Heartland is working within the confines of the merchant acquiring and processing environment to address data security  through improved information sharing & security of  intransigent . The data breach at heartland is very costly for the company.It lost 50 percent of its market capitalization 2009.  It had more than $32 legal fees, forensic costs, reserves for potential card brand fines, and other related settlement costs. 1)  Vulnerability    :    poorly coded Web application software to
Read more