What Is OAuth Technology?

What is Oauth 
  oauth is the Open Authorization and  is an open standard for token -based authentication and  on the Internet.

 OAuth ??? How to pronounced   "oh-auth"

 OAuth  which is allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password. Oath acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called a flow.
Generally, Oath provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with HYPER TEXT TRANSFER PROTOCOL  (HTTP), Oath essentially allows access token to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
Oath is a service that is complementary to and distinct from open ID. Oath is also distinct from OATH, which is a reference architecture for authentication, not a standard for authorization. However, Oath is directly related to openID Connect (OIDC) since OIDC is an authentication layer built on top of Oath 2.0. Oath is also distinct from XACML, which is an authorization policy standard. Oath can be used in conjunction with XACML where Oath is used for ownership consent and access delegation whereas XACML is used to define the authorization policies 


History of Oauth




OAuth began in November 2006 when Blain cook was developing the Twitter OpenID implementation. Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, chris Messina and Larry Halff from Magnolia met with David Recorden to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standard for API access delegation.
At the 73rd Internet Engineering Task Force (IETF) meeting in Minneapolis in November 2008, an OAuth BoF was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.
The OAuth 1.0 protocol was published as , an informational Request for Comments, in April 2010.
Since August 31, 2010, all third party Twitter applications have been required to use OAuth.

Oauth 2.0

OAuth 2.0 is not backwards compatible with OAuth 1.0. OAuth 2.0 provides specific authorization flows for web applications, desktop applications, mobile phones, and smart devices. The specification and associated RFCs are developed by the IETF OAuth WG; the main framework was published in October 2012.
Facebook's Graph API only supports OAuth 2.0.Google supports OAuth 2.0 as the recommended authorization mechanism for all of its APIs.Microsoft also supports OAuth 2.0 for various APIs and its Azure Active Directory service, which is used to secure many Microsoft and third party APIs.


So, I developed a sample application with facebook to demonstrate this technology using OAuth 2.0's authorization_code grant type,

Let's go through it using the source code itself.

So, first we need to send a request to the facebook's authorization endpoint requesting the "CODE".
The following code will give an idea about how we do it.

function makereq(){
var authendpoint = "https://www.facebook.com/dialog/oauth";
var responsetype = "code";
var appid = "304736406993872";
var redirecturi = "https://localhost:8443/OAuthApp/callback";
var scope = "public_profile email groups_access_member_info publish_to_groups user_age_range user_birthday user_events user_friends user_gender user_hometown user_likes user_link user_location user_photos user_posts user_tagged_places user_videos";
var requestEndpoint = authendpoint + "?" + "response_type=" + encodeURIComponent(responsetype) + "&" + "client_id=" + encodeURIComponent(appid) + "&" + "redirect_uri=" + encodeURIComponent(redirecturi) + "&" + "scope=" + encodeURIComponent(scope);
window.location.href = requestEndpoint;
}

The above JavaScript code will explain how to send a HTTP GET request to the facebook's authorization server requesting the so called "CODE" parameter.
As you can see, we need to set the parameters as,

  • response_type="code" 
  • client_id
  • redirection_uri 
In above "response_type" param should and must be code. You can get your client Id and Secret from https://developers.facebook.com by registering your application.

**The "developers.facebook.com" home page will be something like the following image.  

Then you need to setup a new application. Below image will give you an idea about it 

Give a proper name for your application.


Now, it will redirect you to a page where you can get your client id and secret.

You can set your redirection uri in Facebook Login section. Click this, set your application type,
 

select your application type, after that you can set your redirection uri.

Everything is set now and we are good to go!!

Back to the source code.
So we send the GET request to get the code value. Now we need to extract it and send another POST request to the facebook authorization server to obtain the access-token.
In this request header, we need to set the header name as,
Authorization  and,
value as,
Base 64 encoded CLIENTID : SECRET 

Also, in the request body, need to send following parameters,
  • Token endpoint
  • Grant Type
  • Redirection Uri
  • Client Id
Let me show you the code of this request to get a better idea.
String authorizationCode = request.getParameter("code");
if (authorizationCode != null && authorizationCode.length() > 0) {
final String TOKEN_ENDPOINT = "https://graph.facebook.com/oauth/access_token";
final String GRANT_TYPE = "authorization_code";
final String REDIRECT_URI = "https://localhost:8443/OAuthApp/callback";
final String CLIENT_ID = "304736406993872";
final String CLIENT_SECRET = "4cda1330b77ad69f10f00ceb0d624aa8";
// Generate POST request
HttpPost httpPost = new HttpPost(TOKEN_ENDPOINT + "?grant_type=" + URLEncoder.encode(GRANT_TYPE,StandardCharsets.UTF_8.name()) + "&code=" + URLEncoder.encode(authorizationCode,StandardCharsets.UTF_8.name()) + "&redirect_uri=" + URLEncoder.encode(REDIRECT_URI,StandardCharsets.UTF_8.name()) + "&client_id=" + URLEncoder.encode(CLIENT_ID,StandardCharsets.UTF_8.name()));
String clientCredentials = CLIENT_ID + ":" + CLIENT_SECRET;
String encodedClientCredentials = new String(Base64.encodeBase64(clientCredentials.getBytes()));
httpPost.setHeader("Authorization", "Basic " + encodedClientCredentials);
CloseableHttpClient httpClient = HttpClients.createDefault();
HttpResponse httpResponse = httpClient.execute(httpPost);
Now we receive the token in a JSON object, need to extract access token from this response.
Reader reader = new InputStreamReader(httpResponse.getEntity().getContent()); BufferedReader bufferedReader = new BufferedReader(reader);
String line = bufferedReader.readLine();
String accessToken = null;
String[] responseProperties = line.split("&");
for (String responseProperty : responseProperties) {
try {
JSONParser parser = new JSONParser();
Object obj = parser.parse(responseProperty);
JSONObject jsonobj = (JSONObject) obj;
accessToken = jsonobj.get("access_token").toString();
System.out.println("Access token: " + accessToken);
} catch (ParseException e) {
System.out.println("Error while parsing the token from facebook : " + e.getMessage());
}
}
The above code segment will explain how to extract this so called "access token" from the received JSON object. 

So, finally we can use this access token to obtain protected resources from the facebook's resource server. 
OAUTH GRANT TYPES




The above application that I used to demonstrate is in my GitHub account.  

Comments

Post a Comment

Popular posts from this blog

Google Hacking Queries

Image
Google Hacking Queries easiest way to filter any specified path in google Filetype can be search any file types according passwords  videos and many more things you can search please when you searching type the word like this filetype:stephanhawking or type with " " qutations like these filetype:"StephanHawking" Index: index meaning unprotected  types ex: Filetype:password Then displaying these kind of page filetype : filetype:bak createobject sa filetype:bak inurl:"htaccess|passwd|shadow|htusers" filetype:cfg mrtg "target filetype:cfm "cfapplication name" password filetype:conf oekakibbs filetype:conf slapd.conf filetype:config config intext:appSettings "User ID" filetype:dat "password.dat" filetype:dat inurl:Sites.dat filetype:dat wand.dat filetype:inc dbconn filetype:inc intext:mysql_connect filetype:inc mysql_connect OR mysql_pconnect filetype:inf sysprep filetype:ini inurl:...
Read more

Sanitizing application text fields

Image
  Sanitizing application text fields to prevent SQL injections and vulnerabilities involves several best practices.   Use Parameterized Queries or Prepared Statements: Instead of directly concatenating user input into SQL queries, use parameterized queries or prepared statements provided by your programming language's database API. These methods separate the SQL query logic from the user input, making it impossible for an attacker to inject malicious SQL code. Input Validation: Validate all user input to ensure it adheres to expected formats and ranges. Reject input that contains unexpected characters or patterns that could be indicative of SQL injection attempts. Use Whitelisting: Instead of blacklisting specific characters or patterns, consider whitelisting allowed characters and formats for input fields. This approach is generally safer as it explicitly defines what is acceptable rather than attempting to identify and filter out malicious input. Escape Special Charac...
Read more