I need to authenticate an iframe that loads a site of a different domain.
I wanted to pass a JWT token through the src URL as follows:
<iframe src="https://otherdomain.com/landing?token=<token> />
otherdomain.com will then use the token I passed in the URL to authenticate its request.
Is this a safe approach or is the token sent over the wire in clear text?
Are there better ways to do this?
Related
I'm trying to use Google Sign-In from my web application (asp.net vb.net).
Following the tutorial that Google provides, and using Google API libraries for .NET this is an easy task.
https://developers.google.com/identity/sign-in/web/sign-in
Now the result of this approach is that I check on the client for a googleUser.getAuthResponse().id_token which is a JWT and send this to my server side code with ajax for validation and to get the payload with the Google unique user Id and other infos.
All this happens on the same page, with a popup from Google, triggered by the default button they provide in the tutorial.
What I'm trying to accomplish is to obtain the same JWT (id_token) without the popup, but actually issuing a redirect to Google, when the user clicks on a custom "Log in with Google" button.
Sadly all the example I found, even from Google itself, involve a much more complex interaction where you get a code from the server, that you then have to exchange for temporary and refresh tokens, and so on.
While the client side approach with the popup window they provide, gives you immediatly the JWT token in response, not that code to request the token, that you have to validate then (I do this with Google .Net APIs with GoogleJsonWebSignature.ValidateAsync(externalToken) and retrieve the payload that way).
Looking at the urls in the popup, what I noticed that differs from all the examples I found that serve you the "code" for token exchange, are those parameters: flowName=GeneralOAuthFlow and response_type=permission%20id_token
While the examples you find for server to server transaction all include calling Google with response_type=code
I tried tampering a bit with the popup url to let it open in a new full window, copying and modifying the url but with not much success. I'm redirected but without the id_token parameter.
Any hint would be much appreciated since I'm not able to find any documentation on response_type=permission%20id_token to query Google service.
Thanks in advance
For anyone interested... I found a solution. The url to redirect to is:
https://accounts.google.com/o/oauth2/auth?response_type=id_token&redirect_uri={0}&scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile&client_id={1}&state={2}
Where
{0} is the redirect url on your server, registered inside google console for this client_id
{1} is your Google client_id
{2} is some querystring or variable you want back to your server when the redirect happens
It works... it gives you back directly the id_token that you can verify with Google .NET APi with GoogleJsonWebSignature.ValidateAsync(id_token) and get as a result a payload (you have the payload class in Google Api .NET as well).
Only issue is that when Google comes back to your redirect url with the id_token in the querystring, it uses hash (url fragment #) so nothing is passed to the server.
There are workarounds with js to get the value and send to the server with ajax or redirect to the same page replacing the hash with ? but this is very annoying.
I imagine there are serious security reason for google to do this but from a dev standpoint is really a pain.
Instead of all those hacks i resorted to the longer way requesting response_type=code instead of the id_token, which returns a canonical querystring with ?code=...
If anyone knows how to get beck the id_token without the hash in the url it would be great.
I want to implement an Actions for Google app that links to user account in a Firebase project and query's their data. I have a website that is set up using Firebase UI that logs them in and redirects them to a dummy page that basically just says "You have been logged in." I cannot see any documentation anywhere that shows how to return this auth token to google so the assistant can use it to query things on their account. Does anybody know how to accomplish this? I am using this documentation https://developers.google.com/actions/identity/google-sign-in-oauth?creation=no. This is the specific text I am not understanding.
"Your service creates an access token and returns it to Google by redirecting the user's browser back to Google with the access token attached to the request."
This basically means that, instead of returning a new page, you issue an HTTP redirect to a URL that they have sent you as part of the request. You will need to add some parameters to this URL that include the auth info, and this is how Google will get the information - via the redirect handled by the user's browser.
They provide some details further down in step 4 on that page, which reads
Send an HTTP response that redirects the user's browser to the URL
specified by the redirect_uri parameter. Include all of the following
parameters in the URL fragment:
access_token: the access token you just generated
token_type: the string bearer
state: the unmodified state value from the original request
The following is an example of the resulting URL:
https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID#access_token=ACCESS_TOKEN&token_type=bearer&state=STATE_STRING
I still don't understand how the Anti-forgery Token works in MVC.
From the MSDN.
Anti-Forgery Tokens
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens.
The client requests an HTML page that contains a form.
The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
When the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.)
If a request does not include both tokens, the server disallows the request.
Here is an example of an HTML form with a hidden form token:
<form action="/Home/Test" method="post">
<input name="__RequestVerificationToken" type="hidden"
value="6fGBtLZmVBZ59oUad1Fr33BuPxANKY9q3Srr5y[...]" />
<input type="submit" value="Submit" />
My question is that since we can find the hidden token value easily by looking the source code (F12 in any browser). Then can we manually set the cookie by going to the Developer Tools (Ctrl-Shift-J or Tools -> Developer Tools) -> Console and the you can enter javascript command:
document.cookie="keyofcookie=valueofcookie"?
Then we cam manually set the tokens same therefore to disable Anti Forgery technology?
That cookie is HttpOnly and it cannot be set from javascript since all latest browsers implement HttpOnly. Also, both cookie token and form token contain different base 64 encrypted information. Decryption will be server side stuff.
Moreso, These tokens are not compared for equality. They complement each other for data. Also, you did not read the complete article. MVC has its own methods to validate token as well..
Check if the link below helps.
https://www.codeproject.com/Articles/793384/ASP-NET-Anti-Forgery-Tokens-internals
As the documentation says:
Anti-forgery tokens work because the malicious page cannot read the
user's tokens, due to same-origin policies. (Same-origin policies
prevent documents hosted on two different sites from accessing each
other's content. So in the earlier example, the malicious page can
send requests to example.com, but it cannot read the response.)
That means, copying the cookie value and using it to any different location will not work because of the said policy.
I apologize in advance for some confusion over the terminology. I get a bit confused with the whole OAUTH process.
I've noticed that I need to pass a redirect_uri to the facebook grant access token method even though I can't see how it's being used. My server is making the request and getting the response so there is no redirect going on. Plus it seems that the redirect uri in the granting access token call must be the same one used in the request access token call (I understand that it's needed in the request access token call but not in the grant access token call).
Not sure this is needed but here is the code I'm using in order to get facebook to grant the access token.
var url = String.Format(
"https://graph.facebook.com/oauth/access_token?client_id={0}&client_secret={1}&code={2}&redirect_uri={3}",
this.AppId,
this.AppSecretKey,
code,
System.Web.HttpContext.Current.Server.UrlEncode(this.CallbackUrl)
);
Yes, to help Facebook verify the request to exchange the auth code for an access token, the redirect_url must be the same for both requests.
You're right in that to get the access token, no actual redirect is performed, the access token is returned in the body of the HTTP response.
I am using oauth in my web application to access Twitter. My problem is i am not getting the token secret and moreover when i run my application it asks the user for authorization request. when the user click "allow', it does not go back to the called url. Infact it shows a blank untitled page with a url having oauth _token value and oauth_verifier value.
Can someone throw light on this.
Before you send users to twitter.com to authorized the app you need to save the request token secret. When the users clicks allow they will return to the callback url you specify. Once there you need to use the request token/secret to get an access token from twitter that will let you perform API requests as a user.
http://dev.twitter.com/doc/post/oauth/access_token