I've configured Authentication and Users as described in this video:
https://www.youtube.com/watch?v=cR4gw-cPZOA
However, it doesn't seem to actually use those credentials ( I see lots of posts to my authentication form with user "ZAP", and various other seemingly canned inputs, however) when I run Attack->Active Scan, and I cannot figure how to make that happen.
We've got more details in this FAQ: https://github.com/zaproxy/zaproxy/wiki/FAQformauth
Does that help?
Simon (ZAP project lead)
Related
I am trying to get a Bot working with the Oauth example provided here: https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv2%2Cjavascript
If I use Azure as an exemplary issuer all works ok. So the general code works out fine.
Now, I have an example Laravel Passport app running to issue myself for testing purposes. All configuration, normal login etc. works fine. I created a generic oauth 2 client in Azure with my password client id and secret.
If I test it in the Azure Portal it heads to the request permission dialog. I confirm and it redirects to e.g. https://token.botframework.com/.auth/web/redirect?code=XYZ&state=123 and just shows Bad Request. No more, no less.
I tried different configurations etc., googled and found some with similar problems but no solution. Most just referred to secrets etc. But the secret works, a broken secret before lead to other issues I am not facing now.
And the error message is not really helpful ^^ No matter how I call https://token.botframework.com/.auth/web/redirect it is always a Bad Request.
Does anybody have an idea, a hint in what direction to look further, where issues could occur? As I am a little lost right now.
I am writing an app that uses Parse Server, with Auth0 as the authentication provider. For unrelated reasons, we need to use Auth0 rather than Parse for user management.
I'm having trouble figuring out how to "link" a user authenticated via Auth0 to Objects in Parse Server. Without this, the authenticated user will not have permission to write to his/her Objects on the Parse Server. I believe my issue is similar to this question, which has no solution: here.
I have found many articles discussing the migration of users from Parse to Auth0, but am finding surprisingly little documentation on how to link those users to Parse. There is one article (I believe written by the same person who posted the question I linked to), but I couldn't get it to work, and it involves storing passwords in cleartext in Javascript.
I thought to create a default Parse user that would simply own all the objects in Parse. This would be invisible to the authenticated end-user so they wouldn't know, but that's just security by obscurity and doesn't seem like a good approach.
If anyone has suggestions on how to approach this, or has done it before, I'm interested to read your suggestions. Thank you very much.
Auth0 supports the most common and used authentication protocols (OAuth2/OIDC, SAML and WS-Federation) so configuring an application to rely on Auth0 is really easy when that application already talks one of the previously mentioned protocols.
According to the Parse Server Wiki, it does support custom authentication leveraging OAuth so that seems your best starting point for integrating Auth0 with a Parse Server based application.
It is possible to leverage the OAuth support with any 3rd party authentication that you bring in.
Disclaimer: I never used the Parse service or Parse Server so I'm assuming that when you mean linking Parse objects to users this can be accomplished by simply having an authenticated user in Parse and the identity of that user is just verified and proven by Auth0 instead of something like built-in username/passwords managed by Parse itself.
With the new Codeigniter 3.0 version what authentication libraries do you use?
Flexi auth was very good and robust with great documentation for CI 2.0 but it is old and as I can see it is discontinued. Of course it does not work out of the box with CI 3.0. I have tested it and tried to migrate it to CI 3.0 but as it uses the old ci_sessions schema I have seen that it has a lot work to be made to rewrite all the code parts that use sessions. It seems to work with file sessions and some alterations on its code though.
Community auth has a CI 3.0 version but as I have seen, it has many bugs and it is nowhere near reliable at this time. I have tested it thoroughly and it cannot work properly as it has problems with its token jar system and its cookie management. Users cannot login most of the times and it is being used as a whole third-party library at Codeigniter, which personally I don't like as it has a lot of files/folders that are time consuming to be maintained. I would prefer simple CI libraries with 1-2 models like flexi-auth. Although, I wouldn't mind Community Auth's approach if it worked properly.
Tank Auth was a reliable solution in the past but not with Codeigniter 3.0 as it has many incompatibilities too. Questions about its compatibility with CI 3.0 were asked but no airplanes in the horizon so far.
DX Auth is an old authentication library and as I can see on its github repository, there are some attempts to migrate it on CI 3.0 but I haven't been able personally to test any of them.
So, has anyone successfully integrated (or migrated) any of the previous mentioned libraries on large CI 3.0 web applications? Did you write your own? Did you stick with CI 2 until further CI 3.0 development for that matter?
Update for the down votes
This post about Authentication libraries in codeigniter was very popular and helpful. I believe that posts that help the community in that way should not be closed at least not before some helpful answers. It is not discussed anywhere before and I would really like to see the opinions of more experienced developers for that.
don't let the down votes get ya down.
check out Ion Auth
https://github.com/benedmunds/CodeIgniter-Ion-Auth
take a look at the read me, you will have to rename two files for codeigniter 3. otherwise you can see that there are recent changes to the lib. the author Ben Edmunds is one of the four developers on the new codeigniter council. http://www.codeigniter.com/help/about
Please check Dnato System Login Its Simple, Fast and Lightweight auth codeigniter.
Feature:
-Add user
-Delete user
-Ban, Unban user
-Register new user sent to email token
-Forget password
-Role user level
-Edit user profile
-Gravatar user profile
-Recaptcha by Google
-And much more
Frontend
With Bootstrap Framework.
For a simple library, I use https://github.com/trafficinc/CodeIgniter-Authit (Authit). It is very simple so I can do a lot of customizations to it or just leave it be.
check this library.that is so nice.and with many features
login / logout
Login DDoS Protection
register and signup via email. (send verification code to your email)
users can send private message to other users
user group
create permissions and access control
error in other language
this library for CI2. but if you search about this, you can find lib for CI3
http://codeigniter-aauth-test.readthedocs.io
I'm developing a Rails app, which contains importing of profile information from LinkedIn to a Rails DB.
It works fine a lot of the time, but over the last 2 weeks it suddenly stopped working...
Default Application Permissions on LinkedIn is only r_fullprofile
I use linkedin gem as a wrapper
Fields to import - positions, educations, summary, languages, picture-url
Error, which I see in PROD logs:
LinkedIn connect failed: Scope NOT_AUTHORIZED : r_fullprofile
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:178:in `request'
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:194:in `token_request'
.rvm/gems/ruby-2.1.2/gems/oauth-0.4.7/lib/oauth/consumer.rb:136:in `get_request_token'
.rvm/gems/ruby-2.1.2/gems/linkedin-0.4.3/lib/linked_in/helpers/authorization.rb:22:in `request_token'
As I see in debug, for some reason request token and secret are nil,
so I decide that the API to authorize client with my linkedin-app does not work.
ALso, I found an answer on stackoverflow that some API rules were changed some time ago:
After May 12th, 2015, apps will no longer be able to request this
member permission without being specifically reviewed by LinkedIn for
compliance with the Apply with LinkedIn use case
(https://developer.linkedin.com/docs/apply-with-linkedin) or some
other partnership program membership which grants access to that
permissions.
But, does some analog of r_fullprofile permisson exists now, which give an access to get all profile information from linkedin?
Here is what I found in Developer Program Transition Guide:
Access to the r_fullprofile member permission now requires explicit approval from LinkedIn. Additionally, the focus of this permission has changed to become much more specific. Going forward, data received from the Profile API using the r_fullprofile permission can only be used to complement your company's careers pages, as described further on the Apply with LinkedIn page.
If you are already using member data provided by r_fullprofile and you believe your application meets new useage criteria, you will still be required to apply for permission on the Apply with LinkedIn page to maintain your application's ability to use the r_fullprofile member permission.
Here is a link for Apply with LinkedIn if you need it:
https://help.linkedin.com/app/ask/path/api-dvr
I have asked for restoring API-access from my application,
hope that LinkedIn support help me.
Use Apply with LinkedIn to:
Round out your knowledge about a candidate’s background, their recommendations, interests and who’s in their network
Incorporate a candidate’s full profile data in your careers site
Make it easy for qualified candidates to apply to your company’s jobs
And in a few days I received an answer that my access to API is restored!
Thanks LinkedIn Review Team, they are great guys!
browsing in this website, i found some interesting suggestions. SocialAuth.net and DotNetOpenAuth.
i started using SocialAuth. It's very simple to use and it worked (i only tried with google so far thou). My only problem with this library is that it doesn't provide a way to retrieve the Contacts from the providers it offers without logging you in with the new (or latest) provider you requested the list of Contacts.
in other words, i MUST sing in my people with a local username and password for security reasons. BUT i would like to benefit from this library's feature of getting contacts from different providers. Thing is that it overrides my currently logged in user (using FormsAuthentication) for the Authentication Token sent by google.
Has anybody confronted this issue?
Does DotNetOpenAuth doesn't have this flaw?
Thanks
Are you sure you understand OAuth?
It could be that I misread your question, and to be honest I don't have any experience with socialAuth.net (will look into it).
To me it seems like you think socialAuth.net requires you to login, I know this is not the fact in DotNetOpenAuth. Only place you need to login (if you aren't already) is the service you are connecting with (Twitter, Facebook, etc.)
Of course it could also be I just answered your question :D
Maybe you should check the last changes in source:
http://code.google.com/p/socialauth-net/source/list
As you can see, in r320 it seems they have fixed this issue