So I am trying out Spring Security using OAuth2 in Spring Boot 2.
I based this site as my reference:
https://dzone.com/articles/secure-spring-rest-with-spring-security-and-oauth2
Once the Authorization server has been set up, tokens can be obtained from it using http://localhost:8080/oauth/token endpoint by passing a POST request.
What makes me squeamish is that the POST request must have my username and password as plain text
POST /oauth/token HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="grant_type"
password
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="username"
admin
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="password"
password
------WebKitFormBoundary7MA4YWxkTrZu0gW--
Isn't this a very big security threat?
Wont every router along the way from the client to server be able to see the content of the POST body?
Now to solve this suppose I use a client side symmetric encryption algorithm in javascript to encrypt the password. Since all clients will get the same encryption algorithm, the routers along the way can symmetrically decode my password. Which is not good enough.
If I had to pass the credentails as plain text, then what is the use of Spring Security?
Am I doing anything wrong here? There is no way big corporations use this.
Is there any additional facility in Spring Security that allows us to prevent this situation?
You have to use HTTPS (TLS), see The OAuth 2.0 Authorization Framework
Token Endpoint
[...]
Since requests to the token endpoint result in the transmission of
clear-text credentials (in the HTTP request and response), the
authorization server MUST require the use of TLS as described in
Section 1.6 when sending requests to the token endpoint.
If your authorization server implementation allows unsecured communication, it is not compliant to OAuth2 spec.
Related
Is it possible to use digest auth in jmeter.
When server answers 401 with auth header
(etc: WWW_Authenticate :SP Digest realm="SD Digest Authentication Realm", qop="auth", nonce="MTYyNTE2Mjc5MDE4NDo0ZTQ0NWJjM2Y0MWQ4OGFlMzQyODRmMjEzNWViMTYwNQ==")
on the first request from client and then client must resend original request with properly formed auth headers?
I try to use HTTP Authorization Manager with http client 4, but no luck.
Jmeter does not send any auth header and does not repeat original request.
Try removing this / from "Domain" section, I don't think it's applicable for Digest authentication, it's more for NTLM and/or Kerberos. But given server sends proper WWW-Authenticate header even given wrong HTTP Authorization Manager configuration you should be seeing the Authorization request header
Apart from this I cannot reproduce your issue using simple Apache web server with mod_auth_digest
I am working on an Elixir Phoenix web project where I want to interact with Google's Indexing API.
Google uses OAuth2 to authenticate api requests and actually has a decent documentation on this.
But it only explains the process using one of the supported libraries in Python, Java, PHP or JS.
I would like to make the HTTP requests by myself to retrieve that access token. But the request format (including headers or parameters) is nowhere documented and I cannot even figure out from the libraries' source code.
I have tried requesting https://accounts.google.com/o/oauth2/token (also other eligible URLs) in Postman with the "OAuth 2.0" request type.
But it was all just guessing and trying. All the research did not help.
There are useful instructions including HTTP/Rest examples at Using OAuth 2.0 for Web Server Applications. Each step has the individual parameters fully documented. Here are some useful excerpts.
Send user to Google's OAuth 2.0 server. Example URL:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http%3A%2F%2Foauth2.example.com%2Fcallback&
response_type=code&
client_id=client_id
Retreive authorization code (your domain). Example:
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
Request access token. Example:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=https://oauth2.example.com/code&
grant_type=authorization_code
Use API. Example:
GET /drive/v2/files HTTP/1.1
Authorization: Bearer <access_token>
Host: www.googleapis.com/
We're writing Windows app and we also have backend server. And we want to implement Google Login. So the Windows app asks the user, it receives the JWT token and passes it to our server. I the token, there are 2 keys: aud and azp. On our other platoforms (iOS, Android), the azp is the OAuth Client ID of the application from Google Cloud Console and aud is OAuth Client ID for our server. But on Windows, they are both same. On other platform, this is handled by libraries provided by Google, but on Windows, we're using low-level HTTP. But we can't find a way to specify the aud. How can we do it?
EDIT: I found out about audience:server:client_id:... in scope, but it doesn't work for me either. It gives me Error: invalid_scope.
This is the request (using HTTPie):
http -v https://accounts.google.com/o/oauth2/auth client_id==windows-ios-app-client_id.apps.googleusercontent.com redirect_uri==my.bundle.id: response_type==code 'scope==audience:server:client_id:server-client-id.apps.googleusercontent.com'
GET /o/oauth2/auth?client_id=windows-ios-app-client_id.apps.googleusercontent.com&redirect_uri=my.bundle.id%3A&response_type=code&scope=audience%3Aserver%3Aclient_id%3Aserver-client-id.apps.googleusercontent.com HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: accounts.google.com
User-Agent: HTTPie/0.9.2
I think we should provide this scope while you request for token. This is probably automatically done if we use Google/Sign-In library, provided that we set the server client id.
[GIDSignIn sharedInstance].serverClientID = #"YOUR_SERVER_CLIENT_ID_HERE"
By the way, If any am looking for a way to implement the same using AppAuth. I did not find any solution yet.
Send the web client id as a parameter audience=WEB_CLIENT_ID when requesting token endpoint.
I have an ASP.NET Web API 2 which is using OAuth 2.0 for authorization. And let's imagine I have a simple Web API method, like:
GET: http://host/api/profiles/user123 (requires OAuth 2.0 token)
So, with Postman, it is easy to test this Web API. I get an OAuth token for user123 from the Web API OAuthAuthorization method and then I use that token in the header of the HTTP request:
GET /api/profiles/user123 HTTP/1.1
Host: {host}
Authorization: Bearer {Token}
Content-Type: application/json
Cache-Control: no-cache
However, if I save my test and run it later (either by Postman itself or by Newman), the token will be expired at that time and it won't work.
How can I make Newman to get a new token automatically for user123 and use it in the HTTP request?
Note: I know how to use Postman's Authentication helpers to ask for a new token. But this scenario doesn't fit the test-automation. In test-automation, I want to remove any human interaction.
It's simple, get your access token at run time and save it into environment variable. Then use it in your next Get request.
In Get Token request, do this in Tests sections:
var body = JSON.parse(responseBody);
pm.environment.set('AccessToken', body.access_token);
In your main Get request, you can use the environment variable in Authorization header:
Authorization: Bearer {{AccessToken}}
Hope this helps.
I have 2 scenarios where I want to implement the token based authentication:
I want to implement token based authentication when a user logs in. i.e.. based on username and password , user should get a token and that token should be used with every request.
I have a separate independent module which has ID and secret Key. It has to communicate with server in specific interval. I want to implement token based authentication for this module also.
In both the cases token should have these properties:
It should be in payload.
It should have a timeout period
When token expires server should provide a new token,if the session is not expired else it should logout.
Is OAuth 2.0 right choice? If any other approach is better, Please tell me.
What should I do to solve this problem?
Which is the best place to put token in request -Payload or header? and Why?
OAuth 2.0 is a good choice for the requirements you mentioned: timeout period and refresh-ability.
Stormpath has an excellent OAuth2.0 implementation that gives you what you are looking for out of the box.
Stormpath has both remote and local OAuth2 Implementations and both are freely available. For the remote case you can rely on our backend using any REST client (http://docs.stormpath.com/guides/token-management/) and any of our SDKs. For the local case you can use our Servlet plugin to run a Web-app with out of the box OAuth2 support. Using the docs link above, you can find documentation for these resources.
Using the Stormpath Spring Boot integration, for instance, you could do something like this:
http -v --form POST http://localhost:8080/oauth/token \
> 'Origin:http://localhost:8080' \
> grant_type=password username=micah+demo.jsmith#stormpath.com password=<actual password>
(This example uses httpie to interact with a locally running Spring Boot instance). The line I've bolded above conforms to the OAuth2.0 spec for authenticating with usernames and passwords. What you get back is a response like:
HTTP/1.1 200 OK
Cache-Control: no-store
Content-Length: 325
Content-Type: application/json;charset=UTF-8
Date: Tue, 04 Aug 2015 16:02:08 GMT
Pragma: no-cache
Server: Apache-Coyote/1.1
Set-Cookie: account=eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4; Expires=Wed, 05-Aug-2015 16:02:08 GMT; Path=/; HttpOnly
{
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiIxNDQyNmQxMy1mNThiLTRhNDEtYmVkZS0wYjM0M2ZjZDFhYzAiLCJpYXQiOjE0Mzg3MDQxMjgsInN1YiI6Imh0dHBzOi8vYXBpLnN0b3JtcGF0aC5jb20vdjEvYWNjb3VudHMvNW9NNFdJM1A0eEl3cDRXaURiUmo4MCIsImV4cCI6MTQzODk2MzMyOH0.wcXrS5yGtUoewAKqoqL5JhIQ109s1FMNopL_50HR_t4",
"expires_in": 259200,
"token_type": "Bearer"
}
This provides a bearer token that can be used on subsequent requests as well as an expiration. Plus, it has the advantage of being a JWT - JSON Web Token. The JWT is cryptographically signed to ensure that it hasn't been tampered with and it can be decoded to provide additional meta-information to your client, including user information, access controls and expiration.
You could do something very similar using the grant_type=authorization_code for interacting using an id and secret, such as for the independent module you mentioned.
This article goes into more detail on token authentication with Java.
Full disclosure: I am a Stormpath employee and I wrote the article referenced above.