Using this example eventually I would like to send the data to my server. The question is: if someone would break client script, replace email with some other email and sand it to my server? How can it be prevented? also, according to oauth standards I should verify the data on server side using client id and secret key, but I don't see any documentation regarding that in this particular related documentation.
You would not send unprotected data from the client to the server but you would send the access token that you've used to obtain the user info to the server side so the server side can retrieve that data from Google on its own
You should be using what Google refers to as the Server Side Flow (which is really more of a hybrid flow, involving both client side and server side components).
In this setup, you use the Google+ Sign-In button to navigate the OAuth handshake, but what comes back includes a very short-lived one-time-use code. Your client then sends this to your server, which exchanges it with Google's servers for an auth token, which can be used to get the email and other user information.
Related
I have implemented an OAuth 2.0 server-to-server authentication for a web application I am developing.
Both services are internal to my company, so I send a request from server A to server B containing the username, password, client_id and client_secret then I receive an access_token in response.
After that, I can send a second request from A to B containing the access_token in the header to pull some data.
The data retrieved from server B to server A is finally passed to the view in server A and shown to the end-user.
Therefore I never ask for any inputs to the end-user, because I am using the above "service account" to pull the data that I need. The end-users do not even know anything about such a connection in the background.
Having that said, I am now getting mad to explain to my colleagues that this is a secure approach.
I was wondering if somebody has any official documentation or best practices to share with me that can help to justify to the IT vertical that this approach is correct. I have been told that the basic auth method is not allowed in the company, but this is not really basic auth, isn't it?!
I cannot even find the right name for this, somebody refers to this method as password grant flow, somebody else as two-legged OAuth. The fact is, in my case all interaction happens server-server without any inputs needed from the end users.
Any help is much appreciated!
RESOURCE OWNER PASSWORD GRANT
You are using this flow between Server A and Server B, which is not recommended because OAuth applications should not have access to the the end user's password. It is more standard to use the Client Credentials Flow for Server to Server calls.
OAUTH TOKEN ISSUER
Another aspect that is non standard is that Server B should not issue its own tokens. It is more standard to use an off the shelf Authorization Server (AS) to deal with OAuth messages and token issuing. The AS is the only party that sees credentials - your UIs and APIs only ever use tokens, which have a short expiry compared to credentials.
I am trying to write a web app which uses sign in with google. I am a bit confused about the sequence of steps which should be followed. According to google docs , the normal flow for signing in a user is:
What i intend to figure out is:
1.) Am i supposed to send the IdToken with each and every subsequent API request from web to my server.
2.) what to do if someone steals this access token and sends a call to my server with it?
Quintessential information from your sketch is presented in Google's official publications:
A volatile token is generated and signed by the issuer (Google) and usually
expires after a rather short lifespan (related post, while not google-login-specific: What is intent of ID Token expiry time in OpenID Connect?). The Google docs describe how to send a token XYZ123 via https to
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
As #ian-barber writes here: "Be sure to always send ID tokens over HTTPS - though they can't be used maliciously in themselves, an attacker could use one to establish themselves a session with your app server if they could intercept it, so its important they aren't sent in plain text."
(Refreshed) tokens are to be used to authenticate users. Then your backend logic (the blue server part) can grant further privileges or e.g. transmit data in a post response. The API (JavaScript version) provides a toolset to monitor the user's session status.
As stated here, you must specify "authorized origins". Only authorized
origins may validate their client users through the Google Identity
API. Please note that even the port
matters, i.e. if you allow localhost:8080 as an authorized origin,
then localhost:9999 is not included! Additionally, the client ID per se is no secret and is naturally exposed in your html document or app. But only authorized origins are eligible to traverse the login workflow and transmit the token to the backend, where it is validated through calls to the API.
I'm working on an command line utility that requires access to a backend server over a REST API.
I'm trying to avoid implementing my own authentication mechanism and use one (or more) of the public auth services (like google, Facebook, amazon).
I am trying to make the client accept credentials and authenticate against the authentication provider and do that without asking the user go open a web browser and provide back a token. The client will be open sourced in order to avoid trust issues (i.e. the user credentials are not sent to my backend server).
I am not interested in authorization, I only care of authenticating against my backend server without having the user keep yet another set of credentials (and without sending the user credentials to my backend server).
How can I have my client authenticate with the auth provider and get a token to communicate back with my server without having the user use a web browser?
I realize you said "not open a web browser", but what about if that browser is on another device (e.g. their mobile?).
If that is acceptable, you can use the OAuth 2.0 for Devices approach, whereby you present the user a short alphanumeric code, which they enter on http://google.com/device to authenticate the request from another device. This OAuth flow is designed to work in environments which don't have browsers (like a command line).
To see a demo of this authentication flow in action, visit the YouTube TV site, press the ← key on your keyboard, and select Sign In.
It's also easy to try out yourself – create a OAuth client in the developers console (of type "installed application" -> "other"), and follow the curl examples in the docs (be sure to replace the demo code in the token request with the device_code received from the initial request to the code endpoint). Decode the resulting id_token using any of the example JWT decoders, like this one.
In your case, you should request the profile scope, which will return an id_token in the response to your token endpoint call, from which you can extract the user's Google profile id (the id token's sub field).
When requesting access to an application via OAuth 2.0 you need certain credentials. In the case of google the request URL which sends the user to a page to allow access contains the client ID and Secret. Does this not leave the data open for anyone to grab request access to apps on my applications behalf?
Also, is OAuth only possible through a browser or can it be achieved completely server side?
I'm pretty new to this so apologies if I'm missing something obvious.
Your calls to the OAuth 2.0 authorization server which contain your client ID and client secret MUST be made over an encrypted channel (= using SSL/TLS). The standard says (chapter 2.3.1):
The authorization server MUST require the use of TLS as described in Section 1.6 when sending requests using password authentication.
I am writing some code to get Twitter and Instagram feed. Before I can write any code, I keep wanting to get a good understanding of oAuth because I have this nagging feeling that it is not all that secure and that most times, for instance when accessing public tweets, it is an unnecessary hassel. I started reading the oAuth 2 specification to get a better understanding, I am still in the middle of it. And I have a host of questions.
Let's use Twitter as an example.
A user accesses your site. You redirect them to Twitter for authentication and to obtain the authorization_grant code.
I understand this part is secure because the user authentication and the redirect to your website will happen over ssl. Is it enough for Twitter to support SSL or does your site also have to support SSL for the redirect to be secure? You wouldn't want the authorization code to be transferred insecurely, right?
Now that you have your authorization_grant code, your site will send a request to Twitter to obtain an access token. When making this request your site will send the authorization_grant code, your client id and client secret. Again I guess the communication is secure because this will happen over ssl. But what if the site has included the client id and secret somewhere in its HTML or Javascript, especially if it is a static site with no server side code?
Should the redirect url always be handled by server side code and the server side code should make the request for access token without ever going through HTML or Javascript?
Once you have the access token, you will include it in your request to obtain the user's tweets, to post tweets on their behalf etc. Again if the site in question were to include the access token inside its HTML or JavaScript along with the client id and secret, that would be pretty insecure, right?
It seems all the security of oAuth stems from ssl and the client's ability to keep their client secret secret. Am I right in this conclusion?
Another thing - in the first step of the process, when the client redirects the user to Twitter to authenticate and obtain the authorization_grant code, they could send in their client id and secret and get the access token directly instead of making a second request for it. I think this is what they mean by the implicit method in the specification.
So, why was this extra step of sending a second request to obtain access token added in the specification? Does it increase security?
I am not sure about twitter API, I am talking with respect to stackexchange API
https://api.stackexchange.com/docs/authentication
Again I guess the communication is secure because this will happen
over ssl. But what if the site has included the client id and secret
somewhere in its HTML or Javascript, especially if it is a static site
with no server side code?
client_secret is send only in the case of explicit flow. Explicit flow should be used by server side application and care should be taken to keep the client_secret safe.
So, why was this extra step of sending a second request to obtain
access token added in the specification?
Well, Implicit flow is less secure than explicit flow since access toke is send to the user agent. But there is an attribute expire in the case of implicit flow which will get expired unless you have specified scope as no_expiry. Also server side flow can be used only by the apps that are registerd
It seems all the security of oAuth stems from ssl and the client's
ability to keep their client secret secret. Am I right in this
conclusion?
Again client_secret will be available in server side flow. But yes, client should take care that access_token is not given out
Check out this link. It gives an example of possible vulnerability in ouath.