I am trying to access an API endpoint that was protected by Oauth2, from the iguana(6.1.4) using Lua programming language. I don't have any previous experience with lua programming. I tried to use packages for that but couldn't able to use packages inside iguana.
it would be great if someone can post the code snippets of lua client code to invoke the OAuth 2 secured API endpoints
Related
Problem description
All the routes (URL(s)) for the API (including parameters to use) are accessible to unauthenticated users by calling this API AbpServiceProxies/GetAll which doesn't require any token and is not protected.
This opens the application for easy attacks.
Can you please tell me how to secure this API without affecting the normal functionality of the framework.
Abp package version: 7.4 (last version at the time of writing this issue).
Base framework: .Net Core.
Steps needed to reproduce the problem: Just call the API like https://ServerIP/AbpServiceProxies/GetAll
I expect to find a way to secure this API or if it was not possible, at least list only public APIs which has no [Authorize] attribute.
There doesn't seem to be any examples of how to handle a login with a backend rest api with Dart. They all seem to either be a service or firebase. Does anyone know of any good examples of a dart for web login using a backend API? Found this for Flutter https://medium.com/#kashifmin/flutter-login-app-using-rest-api-and-sqflite-b4815aed2149, but didn't know if there was an equivalent for Dart for Web.
Use the dart:html HttpRequest class itself
https://api.dartlang.org/stable/2.0.0/dart-html/HttpRequest-class.html
Web login shouldn't have anything specific for typical GET/POST requests. There are a couple of nice articles you can follow there.
I've question regarding automation with oAuth 1.0a. I need to access a REST API at a oAuth provider on behalf of a user. The provider has oAuth version 1.0a implemented.
At forehand excuse my ignorance on oAuth, it's new territory for me.
I'm working on a .NET MVC 5 project and installed the NuGet Package as follows: "Install-Package DotNetOpenAuth.OAuth.Consumer". This installed the following:
Attempting to gather dependencies information for package 'DotNetOpenAuth.OAuth.Consumer.4.3.4.13329' with respect to project 'projectname', targeting '.NETFramework,Version=v4.6.1'... successfully installed dependencies and the DotNetOpenAuth consumer package.
My goal is to access a REST API when triggered by an external source which is not human. In short, a controller is triggered by an external process and sends data to my application. Next, I will need to access the REST API of the provider in order to process the received data. So, no human eyes or hands are available to login or copy a verifier of some sort.
I've been looking around, read about oAuth and the DNOA library. I kinda found that I have to obtain a RequestToken to start off with. I'm using the following code to achieve this:
InMemoryTokenManager tm = new InMemoryTokenManager("**consumerkey**", "**secret**");
var serviceProvider = GetServiceDescription();
var consumer = new DesktopConsumer(serviceProvider, tm);
string reqToken;
consumer.RequestUserAuthorization(null, null, out reqToken);
I read about the InMemoryTokenManager, ServiceProviderDescription, DesktopConsumer and that is pretty clear to me. Although I'm not surefooted about using DesktopConsumer instead of WebConsumer..
Now, I need to get a verification code from the Provider. But how to proceed next in order to get it?
I've looked at the UserAuthorizationResponse object which contains a property exactly for this purpose but I'm unable to figure out how to retrieve this.
With the request token and verification code I should be able to get a AuthorizedTokenResponse object and perform the REST API calls.
Can anyone help me out on this?
I'm writing a VBA client which needs to post to GitHub. I'd prefer to use Oauth2 for authentication to keep it in line with implementations in other languages.
When specifying the redirect_uri some oauth2 providers allow you to specify an out of band uri .. specifically
urn:ietf:wg:oauth:2.0:oob
Since the VBA app is not web based, I can't specify a real redirect_uri. Does anyone know whether the GitHub API can support some form of out of band OAUTH2 authentication like this, and if so, how to specify it in the GitHub Application console.
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.