oauth OAuth2 Introspection with WSO2 ESB and WSO2 Identity Server By pzf.fremantle.org Published On :: Sat, 09 Nov 2013 17:26:00 +0000 The OAuth2 specification defines several parties: the Client, the Resource Owner, the Authorization Server and the Resource Server. Here is the (textual) diagram from the spec: +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow One flow that is not defined by the OAuth specification is any flow from the Resource Server to the Authorization server to validate an existing Bearer Token (or other token). The spec says: The interaction between the authorization server and resource server is beyond the scope of this specification. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers. In many cases the Authorization server offers an API to access this. For example, Google allows you to call a TokenInfo APIto validate tokens. Similarly Facebook offers an API to "debug" a token. The WSO2 Identity Server also offers an API, but (shock and horror) we don't document it yet. The ESB and API manager both utilize this API to validate OAuth2 bearer tokens. The ESB code is of course available, and with a quick look at the code and also the use of TCPMON it didn't take me long to reverse engineer the API. This Gist has a sample HTTP SOAP request against the WSO2 IS to validate a token: It turns out that the OAuth Working Group at the IETF is working on this and has a draft specification available, using a RESTful service. They call this OAuth Token Introspection. I figured this would be easier (and more pleasant) to call from my Python code, so I knocked up a quick WSO2 ESB API mediation flow to convert from the RESTful API to the existing WSO2 SOAP-based API. I know that Prabath and the security and identity team at WSO2 will soon add this useful REST API, but in the meantime, here is a quick hack to help you out. Please note you need to hardcode the URL of the IS and the userid/password into the ESB flow. Also I assume if you don't provide a token_type_hint then this is a bearer token. And here is the Gist showing a sample interaction: Full Article
oauth Using OAuth 2.0 with MQTT By pzf.fremantle.org Published On :: Thu, 14 Nov 2013 14:37:00 +0000 I've been thinking about security and privacy for IoT. I would argue that as the IoT grows we are going to need to think about federated and user-directed authorization. In other words, if my device is publishing data, I ought to be able to decide who can use that data. And my identity ought to be something based on my own identity provider. The latest working draft of the MQTT spec explicitly calls out that one might use OAuth tokens as identifiers in the CONNECT, so I have tried this out using OAuth 2.0 bearer tokens. In order to do it, I used Mosquitto and mosquitto_pyauth, which is a handy plugin that let's you write your authentication/authorization login in python. As the OAuth provider I used the WSO2 Identity Server. The plan I had on starting was: Use a web app to go through the bootstrap process to get the bearer token. Encode an OAuth scope that indicates what permissions the token will have: e.g. rw{/topic/#} would allow the client to publish and subscribe to anything in /topic/# Encode the bearer token as the password, with a standard username such as "OAuth Bearer" During the connect validate the token is ok During any pub/sub validate the requested resource against the scope. Here is a sequence diagram: The good news - it works. In order to help, I created a shim in the ESB that offers a nice RESTful OAuth Token Introspection service, and I call that from my Python authentication and authorization logic. I had to do a few hacks to get it to work. 1) I wanted to use a JSON array to capture the scopes that are allowed. It turns out that there was a problem, so I had to encode the JSON as a Base 64 string. This is just a bug in the OAuth provider I think. 2) I couldn't encode the token as the password, because of the way Mosquitto and mosquitto_pyauth call my code. I ended up passing the token as the username instead. I need to look at the mosquitto auth plugin interface more deeply to see if this is something I can fix or I need help from Mosquitto for. 3) mosquitto_pyauth assumes that if you have a username you must have a password, so I had to pass bogus passwords as well as the token. This is a minor issue. Overall it works pretty nicely, but there are some wider issues I've come up with that I'll capture in another write-up. I'm pretty pleased as I think this could be used effectively to help control access to MQTT topics in a very cool kind of way. Thanks to Roger Light for Mosquitto and Martin Bachry for mosquitto_pyauth. And of course to the WSO2 Identity Server team for creating a nice easy to use OAuth2 provider, especially Prabath for answering the questions I had. Here is the pyauth plugin I wrote. Apologies for poor coding, etc - my only excuses are (1) its a prototype and (2) I'm a CTO... do you expect nice code?! Loading .... Full Article
oauth Episode 376: Justin Richer On API Security with OAuth 2 By se-radio.net Published On :: Tue, 13 Aug 2019 17:44:10 +0000 Justin Richer, lead author of the OAuth2 In Action book discusses the key technical features of the OAuth2 authorization protocol and the current best practices for selecting the right parts of it for your use case. Full Article
oauth Superstar Economists: Coauthorship networks and research output [electronic journal]. By encore.st-andrews.ac.uk Published On :: Full Article
oauth Collaboration in Bipartite Networks, with an Application to Coauthorship Networks [electronic journal]. By encore.st-andrews.ac.uk Published On :: Full Article
oauth SAS Notes for SAS®9 - 65885: The ability to connect to a Google BigQuery database via OAuth Authentication has been added to SAS/ACCESS Interface to Google BigQuery By feedproxy.google.com Published On :: Fri, 1 May 2020 09:59:50 EST The ability to connect to a Google BigQuery database via OAuth is now available with this hot fix. Three new options have been added, REFRESH_TOKEN=, CLIENT_ID=, and CLIENT_SECRET=. You can use these options with Full Article BIGQUERY+SAS/ACCESS+Interface+to+Google+
oauth OAuth Vulnerability Threatens Azure Accounts By packetstormsecurity.com Published On :: Wed, 04 Dec 2019 23:47:09 GMT Full Article headline microsoft flaw
oauth Thousands Of Turkish Twitter OAuth Tokens Leaked By packetstormsecurity.com Published On :: Tue, 20 Aug 2013 15:10:32 GMT Full Article headline hacker data loss flaw turkey social twitter
oauth CryptoAuthSSH-XSTK (DM320109) - Latest Firmware By ww1.microchip.com Published On :: 4/9/2020 9:45:54 PM CryptoAuthSSH-XSTK (DM320109) - Latest Firmware Full Article
oauth CryptoAuth Trust Platform Firmware By ww1.microchip.com Published On :: 4/9/2020 10:17:22 PM CryptoAuth Trust Platform Firmware Full Article
oauth SOLVING IDENTITY AND ACCESS MANAGEMENT IN MODERN APPLICATIONS [Electronic book] : demystifying oauth 2.0, openid... connect, and saml 2.0. By encore.st-andrews.ac.uk Published On :: [S.l.] : APRESS, 2019. Full Article
oauth The making of the modern world : connected histories, divergent paths (1500 to the present) / senior author, Robert W. Strayer ; coauthors, Edwin Hirschmann, Robert B. Marks, Robert J. Smith ; contributing authors, James J. Horn, Lynn H. Parsons By prospero.murdoch.edu.au Published On :: Strayer, Robert W., author Full Article
