I am implementing PSUOAuth2 for OpenBank Apigee - DevPortal (Drupal-8).
In creation of JSON Web Signature, few arguments are unclear to me.
(Check out specification here).
First is the private key, can I use any general private key or is there a specific private key to be used. (I checked in Apigee Interface, there is possibility to download a Public Key Certificate but no private key as they are never distributed).
Second in JOSE Header Object to be constructed there is a parameter called kid (described as ''certificate id" in specification).
Related
The requirement is, there would be two devices(alice and bob)generates public and private keys using diffie hellman. public keys would get exchanged bewteen both the devices (alice and bob) and generate a secret key with their private keys.
This is for iOS, either in Objective C or Swift. I have tried with raorafat(GitHub code) and other source codes; however, no solution was really drawn for my requirement.
One thing if I share my public key to server how would server deal with my public key to generate symmetric key.
You can use Apple's CommonCrypto library from Swift. For example of using CCDH, see https://opensource.apple.com/source/CommonCrypto/CommonCrypto-60118.50.1/test/CommonCrypto/CommonDHtest.c.auto.html
You can import it using
import CommonCrypto
in your Swift project.
I trying to implement DirectSend for ANH .NET SDK.
NotificationHubClient.SendDirectNotificationAsync(Notification notification, string deviceHandle);
I am wondering what is the best way to work with this Notification object? There is no documentation on this anywhere, unlike all of the SendNative calls that exist on the ANH client.
The abstract Notification class's constructor
public Notification(Dictionary<string, string> additionalHeaders, string tag);
What are the headers I need to include? At the moment I don't have any
Does it have to include a tag? I am not planning on using Installations or Registrations on my hub, so I won't have any tags to work with anyways?
I am assuming I need to make my own concrete types of Notifications and set all the other properties on this object, such as PlatformType, ContentType, and such?
Notification is an abstract class. There are per platform specific notification classes like: AppleNotification/AdmNotification/GCMNotification/WindowsNotification. You should use class corresponding to the platform you are targeting.
The below API helps to pass the additional platform specific headers. And there is no need to pass any tags for direct send.
public Notification(Dictionary<string, string> additionalHeaders, string tag);
You can find more information about DirectSend here: https://msdn.microsoft.com/en-us/library/azure/mt608572.aspx
Is there a way given a file of a public and a private key to en- and decrypt a String using dart? I'm talking about a high level interface for this because the existing libraries like cipher only enable low level access and a manual extraction of modulus and public exponent.
In the meantime, I wrote my own RSA implementation.
If anybody else needs something like this (high level
access to encryption and decryption methods), here
is the link:
https://github.com/Adracus/rsa
I need to use SHA-512 in my code to hash passwords.
Now I use o.s.s.authentication.encoding.PasswordEncoder while it is initialized to ShaPasswordEncoder(512).
In addition, o.s.s.authentication.encoding.PasswordEncoder supports method
String encodePassword(String rawPass, Object salt) that allow to store salt separately from the password.
Unfortunately, o.s.s.authentication.encoding.PasswordEncoder is deprecated.
Also, o.s.s.crypto.password.StandardPasswordEncoder supports only SHA-256.
In addition it is final class and does not allow its overloading to support SHA-512.
How to use SHA-512 with o.s.s.crypto.password.StandardPasswordEncoder?
Why there is no public method that allows to pass salt stored externally?
Well I must admit that it is not the most coherent part in Spring Security ... DaoAuthenticationProvider.getPasswordEncoder() returns a o.s.s.authentication.encoding.PasswordEncoder which is deprecated according to the javadoc !
The trick is that DaoAuthenticationProvider.getPasswordEncoder() takes an Object as parameter, and this Object may be a o.s.s.authentication.encoding.PasswordEncoder ... but do not try to do a get !
As per my understanding, o.s.s.crypto.password.StandardPasswordEncoder is an example with medium security and a fixed SHA-256. If you want a higher level of security, you can use a o.s.s.crypto.password.BCryptPasswordEncoder which uses the robust BCrypt algorythm with a configurable level. After viewing the sources, I can confirm than both use salt and store it internally in encoded password.
Perhaps somebody from Spring Security team could explain the reasons for those (discutable) choices regarding the impossibility to change digest algorythm but I cannot ; maybe it is simply because for using SHA it is enough to stick to the (not deprecated) ShaPasswordEncoder. I simply noted this remark in StandardPasswordEncoder : If you are developing a new system, BCryptPasswordEncoder is a better choice both in terms of security and interoperability with other languages.
So, either you follow the advice of the author of StandardPasswordEncoder, and use directly BCryptPasswordEncoder, or you will have to roll your own.
It is enough to copy the source of StandardPasswordEncoder, to stick to the org.springframework.security.crypto.password package, because there are package private imports, and modify the 2 argument constructor to be public as :
public ConfigurablePasswordEncoder(String algorithm, CharSequence secret) { ... }
All this is more a collections of workarounds than a clean solution, but I never found a better way !
As a conclusion, I would say that only the interface o.s.s.authentication.encoding.PasswordEncoder is deprecated, because it stores the salt outside of the encoded password. So it should not be used for further developpement of password encoders. But its implementation classes are not deprecated (neither in last 3.2 release version, nor in 4.0.0M2) and you can safely keep on using ShaPasswordEncoder if it meets your requirements.
I'm trying to use the sbt in xpages with a custom endpoint i.e a new one defined in faces config using the class com.ibm.sbt.services.endpoints.OAuth2Endpoint
The authorisation url it generates is in the format of
&client_id=xx&callback_uri=xxx
however the api i'm trying to use expects a parameter of redirect_uri
Looking at the spec for OAuth2 it appears that the convention is to use redirect_uri rather than callback_uri.
Is there a different end point class I can use which would use redirect_uri instead for the auth handler?
NB: I've searched the source code and "OAUTH2_REDIRECT_URI" isn't used anywhere so I guess not, which makes me think I've misunderstood how to use it
Thanks!
I had a similar issue for our Basecamp demo application for IBM Connect 2014.
I have inherited a new endpoint and handler for this purpose.
In the handler class I had to rewrite getAuthorizationNetworkUrl() and getAccessTokenForAuthorizedUser() methods to change those url parameters.
Overriding these methods might not be safe for the future of course. Instead, you might get the original URL and do some string operations to change desired parameters.
#Override
public String getAuthorizationNetworkUrl() {
String newUrl=super();
// Do string operations
return newUrl;
}
Checking if anything changed for the new version of SBT would be needed. I hope it helps.
You can use the SmartCloudOAuth2Endpoint, instead of the plain oauth2 endpoint. This endpoint is a custom endpoint for SmartCloud which uses redirect_uri
https://github.com/OpenNTF/SocialSDK/blob/cd373c78971bb31e1902f177eddcb33d029ae474/sdk/com.ibm.sbt.core/src/main/java/com/ibm/sbt/services/endpoints/SmartCloudOAuth2Endpoint.java