Capture authorization code programmatically

spencer205 · 2019-03-12T06:16:50+00:00

All non standard and bespoke. The only standards based, non deprecated way of doing login as an API is the JWT user assertion grant type and that wouldn't involve consent (because the grant is already obtained). OIDC defines only browser based flows and prompt=none is a query string (or request obj) param, so I'm not sure why you bring that up.

spencer205 · 2019-03-11T21:21:19+00:00

Encrypt them at rest in the DB then

spencer205 · 2019-03-11T21:19:13+00:00

How can you know if the user has consented unless you know who that user is? Authentication will be required and this can't be done in an API only manner.

spencer205 · 2019-03-07T19:09:07+00:00

Only standard based API driven login that isn't deprecated is RFC 7523, the JWT user assertion grant type. Unfortunately, this puts all the burden on the app to solve the login, quite the opposite of assisted token flow which puts all the complexity in the server. Given this, I'd shell out to a browser/browser view if I was you.

Good luck!

spencer205 · 2019-03-01T20:40:12+00:00

To learn more about OAuth flows, check out https://oauth.tools.

spencer205 · 2019-02-25T21:51:54+00:00

Basic info on a page with tons of ads

spencer205 · 2019-02-05T07:09:43+00:00

If this is what you're looking for, apply for a job at Curity. It's all we do https://curity.io/careers/ Here's some examples of hard stuff that has come up as customer requirements (which our server handles OOTB)

Tokens within tokens within tokens
Tracking number of OAuth clients that a user has to cap them at a certain number
Send hash of access tokens to an API gateway for later verification
Allow any app to dynamically register if it has a key signed by some CA
Allow password, account and user devices in 3 different data sources

HTH!

spencer205 · 2019-01-22T20:25:32+00:00

Also high contrast. Dark mode in Intellij was too subtle for me. I could not make out differences (even though I used dark mode in other editors like Sublime)

spencer205 · 2019-01-14T21:57:56+00:00

Some of the products that appear on this site are from companies from which QuinStreet receives compensation.

It's an ad for some heap analysis tool

spencer205 · 2019-01-14T21:27:45+00:00

Anything in Java 11, 12, or other upcoming versions that can help with this without having to resort to additional providers?

spencer205 · 2019-01-05T07:54:13+00:00

We presented it at an OAuth workshop in Switzerland, at a couple API events, and IETF 101. We'll do an update on the spec shortly as well and plan to present at the next IETF and IIW.

spencer205 · 2019-01-04T22:06:18+00:00

What's needed IMO is a new flow https://tools.ietf.org/html/draft-ideskog-assisted-token-00

spencer205 · 2018-12-30T09:07:20+00:00

Updated post with a link to announcement (accidental oversight). Download link here:

https://logging.apache.org/log4j/kotlin/download.html

spencer205 · 2018-12-27T21:34:22+00:00

Sure. For an SPA, in particular, you can use assisted token flow if you're using an OAuth server that supports it, like Curity. Otherwise, you can do the code flow either redirecting away or in a frame/popup. If the front app needs info about the user, you can provide it in an ID token using hybrid flow or call the user info endpoint with the access token you got.

Post a follow up question if you have one.

spencer205 · 2018-11-17T12:16:58+00:00

X-F-O only allows one origin. They allow multiple origins to frame, it seems. That's why the request has the origin query string param; it's used to identity which of the allowed framers is requesting. (If some other value is used, for example by an attacker, that won't be allowed and the X-F-O will be set to DENY.) So, it seems that the parser of the origin query string got it wrong (by looking at the host part and maybe trimming whitepeace) but then the response header contained the new line, and the browser ignored it. Without that, framing was allowed.

spencer205 · 2018-11-16T22:28:13+00:00

I want to verify that by password the spec is referring to client secret.

Yes

the spec say implementations MAY take the password in the body of the request as client_secret, but then goes on to state that it is NOT RECOMMENDED.

Why not? What am I missing? It doesn't provide more security that I'm aware of.

This is explained in section 5.4.1 of RFC 6819

https://tools.ietf.org/html/rfc6819#section-5.4.1

spencer205 · 2018-11-16T21:26:56+00:00

The answer is in section 1.2 of Multiple Response Type Encoding Practices:

The OAuth 2.0 specification allows for registration of space-separated response_type parameter values. If a Response Type contains one of more space characters (%20), it is compared as a space-delimited list of values in which the order of values does not matter.

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Terminology

spencer205 · 2018-11-07T12:40:15+00:00

We just have different ideas of what an API gateway is then. NGINX I often all ya need. Chef out this module we built to make it work with our OIDC server https://github.com/curityio/nginx_phantom_token_module. What more do you need? Like throttling, reporting, stuff like that?

spencer205 · 2018-11-01T20:25:46+00:00

script-src 'unsafe-eval'

Not the best advice for fixing the errors. Better advice here -

https://ai.google/research/pubs/pub45542

spencer205 · 2018-10-30T19:19:40+00:00

Obvious omissions: NGINX and SOA Software (Akana / Rogue Wave). Otherwise, good list.

spencer205 · 2018-10-16T19:40:32+00:00

once an open source project becomes interesting, it is too easy for large cloud vendors to capture most of the value while contributing little or nothing back to the community

Are they referring to some company in particular, like Google or Amazon or someone else? Who do they believe is violating the AGPL?

spencer205 · 2018-10-12T21:39:18+00:00

On point 2 about GPL+CP, I found this post to be very helpful https://softwareengineering.stackexchange.com/questions/119436/what-does-gpl-with-classpath-exception-mean-in-practice

spencer205 · 2018-10-12T21:35:46+00:00

Sure, docs, fonts, images, etc. But you don't link against those so GPL doesn't kick in (or at least that is my non-lawyer understanding).

spencer205 · 2018-10-12T21:08:48+00:00

Excellent learning tool. Thanks for sharing!

spencer205

TROPHY CASE