Is there any way to locally use OAuth 2.0 without SSL ? I tried to execute it in my localserver. but it says, I need SSL to perfome actions with Oauth 2.0.
Error: it was not possible to open the OAuth access token URL: establishing SSL connections requires the OpenSSL extension enabled
Is there any way to use OAuth 2.0 without SSL ?
Im using PHP Client Library for OAuth 2.0.
The security of OAuth 2.0 is dependent on SSL, without it anyone could see the bearer token that belongs to the user and use it to pretend to be them. However if you need to turn ssl off for debugging purposes and your server is also written in PHP then I would try taking a look at this: http://php.net/manual/en/oauth.disablesslchecks.php
Also SSL is dependent on the server, not the client.
Related
I am a developing an Rest API in spring boot and it has to be consumed by an IOS Application.I have implemented JWT token with Oaut 2.0 as security and my web server is having SSL.So the call will be made by
https://server:port//dataurl
with the header as the token. My question is since My web Server is having SSL so the connection channel will be secured (because the token should be passed in a secure channel ) or do the client side (IOS App) should also have to implement SSL Certificate. I am a having a little confusion about how the SSL channel communication. Any help is appreciated.
This link has a nice graph about how SSL works.
https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_7.1.0/com.ibm.mq.doc/sy10660_.htm
You can have a look of AFNetworking, no matter you want to use it or not.
In particular, have a look of AFSecurityPolicy.h and how it is used in AFURLSessionManager.m. That could be a good start point.
I am trying to use the WebSphere Liberty Profile OIDC Client feature. I have the feature installed and configured, but I am confused about what URL I should be using to connect to it. In the WLP Knowledge Center, it shows an example like this:
https://server.example.com:443/oidc/endpoint/PROVIDER_NAME/authorize
But when my WLP server comes up, I see the following URL in the log:
com.ibm.ws.webcontainer.osgi.DynamicVirtualHost I addWebApplication SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://ibm669-r9v0dvb:11080/oidcclient/
I don't know whether to use 'oidcclient' (probably) or 'oidc'. I also don't know what to put as the PROVIDER_NAME. I tried using the ID of my OIDCClient:
<openidConnectClient id="oidcRP"
clientId="${oauth.client.id}"
clientSecret="${oauth.client.secret}"
authorizationEndpointUrl="${oauth.authorize.endpoint}"
tokenEndpointUrl="${oauth.token.endpoint}"
httpsRequired="false"
redirectToRPHostAndPort="https://myhost.com:443">
I tried connecting with this, but it's not finding it:
http://ibm669-r9v0dvb:11080/oidcclient/endpoint/oidcRP/authorize?scope=openid&response_type=code&client_id=XXX&redirect_uri=https://myhost.com:443
com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor W handleRequest SRVE0190E: File not found: /endpoint/oidcRP/authorize
Can anyone tell me what URL I should be using to connect to the client?
The Liberty openidConnectClient feature enables Liberty as a client to openid connect provider. The configuration parameters inside openidConnectClient are information about openidConnectProvider, for example, the openidConnect provider's authorization endpoint and token endpoint.
What is your openid connect provider? Liberty also can be configured as openid Connect provider. If you also want to use Liberty as openid connect provider, you can create another Liberty instance and enable openidConnectProvider feature.
In my case I want to test a rest-api protected by certificate-authentication.
I want to use the Paw-App to test this REST-API but I can't find a way to insert/upload my client-certificate and the truststore (jks or pkcs12).
I wonder if it is possible in the Paw-App to enable certificate authentication and how to do that, or if there are any plans to implement that besides OAuth and HTTP-Basic-Auth?
Paw now supports client certificates! :)
https://luckymarmot.com/paw/doc/auth/ssl-client-certificates
Here is my cenario:
I have an Rails app on Heroku and i'm forcing it to use HTTPS (Using this tutorial: http://simonecarletti.com/blog/2011/05/configuring-rails-3-https-ssl/) .
I created a POST form, and its the action is "/my-action"
How do i know if my data is really been transmitted using SSL ? I mean, the form action shouldn't "https://mywebsite.herokuapp.com/my-action" ?
Some considerations:
* I'm using the free heroku SSL (https://myapp.herokuaapp.com )
* This app is not using the heroku SSL endpoint addon
Thanks
if you have valid ssl certificate and encryption key, then you only your data is accepted via ssl. Simply redirecting your website to use https protocol doesn't encrypt your data flow. And, this is what you were doing it. Right now, you are using heroku which does provide free SSL service if you use its domain.
So, if your website can be accessible via https://myapp.herokuapp.com and browser isn't giving any warning..then you are using SSL service.
This isn't applied if for custom domains. Your custom domain will still be accessible with https://www.example.com but it it SSL enabled.
I need to configure 'Client certificate authentication' in Glassfish 3. I tried many scenarios but couldn't configure. The requirement is - the user who imported the .cer file can alone access the application.
So we need to configure in such a way that we need to validate the .cer file that is uploaded into the browser (through which the client is trying to access the application).
Once the certificate file is validated, then we need to show the login screen (form-login). Further we validate the username/password of the user.
I tried several configuratiosn (in applicationCOntext-security.xml file) but in vain.
Can anyone tell how to configure spring security so that both the client certicate authentication (done first) and then the form-login (done next)?
Spring does not do SSL its Glassfish that is setting up the SSL connection. By the time the request has arrived in Spring security all spring security knows is that the request came in over a secure channel but does not know how the secure channel was configured.
To setup client certificate authentication you need to configure glassfish to require a client side certificate to setup the SSL connection and to refuse the connection if the client does not provide a valid certificate.
This way you will get the behavior you want if the client does not present a valid certificate to glassfish glassfish never routes the call to spring.
I do know how to setup client side ssl authentication with glass fish so I can't help you with exact details, but google should know the answer.