I am trying to establinsh an OAuth 2.0 Auhorization code flow with PKCE support from Okta provider.
I try to set it up with the support of the built-in OAuth 2.0 support with advanced options but I don't find a way to tell the get access token request to use the "code" provided by the 'authorize' request did just before
Does anyone have an idea ?
Thanks
Olivier
Related
Since I don't know, and can't find information about this:
When I have an ASP.NET Core WebAPI with a AuthenticationController.cs where I have a Login()-method that generates a JWT Bearer token with JwtSecurityToken class, is that considered an OAuth2.0 and/or OpenID Connect (or neither)? And is my approach safe (enough) to protect my API?
I'm trying to understand OAuth2.0 and OpenID Connect, and if I'm using it already or not.
And if I should switch my way of security to something like IdentityServer for the use of OAuth2.0 & OpenID Connect.
JwtBearer token is just part of OAuth2.0 https://oauth.net/2/bearer-tokens/ but OAuth2.0 as topic itself is much bigger then just jwt token
And if I should switch my way of security to something like IdentityServer for the use of OAuth2.0 & OpenID Connect.
It depends on the requirement that if you want to maintain user information within your application or you want to delegate that task to another application like identityserver
In HWioauth Bundle we must provide infos_url but drupal doesn't seems to have such api url, and all said oauth2 require ssl. Is it neccessarily required that my app doesn't seem to get authorization_code from the oauth server(drupal site as a oauth server)
Yes, it's necessary for production environment. Because OAuth 2.0 use the client_id, secret_id and passwords in request URL as query variables.
But if you are using it development mode in your computer it will work. Https not a requirement for OAuth logic, it's about only security.
I'd like to use WePay.com for authentication and authorization using OAuth 2.0 and ASP.NET MVC 4 Web API.
I was reading through their tutorials online here and was thinking do I just go through these steps and store the access token in the database along with their user_id from WePay.
Should I use FormsAuthentication.SetAuthCookie() to create the
secure cookie?
Is this secure?
Or do I authenticate users be some other means (Facebook, Twitter, Basic, etc)?
You could actually use WePay as your Auth mechnaism. Make sure you checkout the C# SDK here: https://github.com/bradoyler/WePayASPNet
Yes, you would just have to call FormsAuthentication.SetAuthCookie('wepayusers email or auth token') after the wepay login callback.
Good luck.
I am looking for a good example for the Facebook C# SDK authorization flow. I am upgrading to version 6 of the SDK and I am having trouble understanding the new flow. I am using the following components:
Asp.net MVC3 Web application
Facebook C# SDK v6
FB Javascript SDK
I am trying to pass the access_token from the FB Javascript SDK to the server for further use.
This flow is outlined in the new documentation at:
http://csharpsdk.org/docs/web/getting-started
I have a the following questions:
Why are they passing the access token in a post vs parsing it out of the cookie.
Don't we need to verify the signed request at the server side before trusting the access token?
First you to have to Follow the conventions that Facebook Javascript SDK is giving to work it with C# SDK.
Answers.
1. Javascript SDK need post back of the page after login in to Facebook. You thoughts are right about getting token from cookie but think what if cookie is disable on browser? Posting access token is the best choice in both cases.
2.Access token already encrypted by Facebook so you dont need to worry about them. If you want more security then you enable encrypted access token in you app settings.
See http://developers.facebook.com/blog/post/572/.
Another thing is that if somehow somebody pass the invalid access token(XSS attack) in post back then also you don't need to worry because access token is validated on Graph API servers, so there less possibilities to effect your Facebook account. You can also enable HTTPS of site to make it more secure.
That's all what I have.
Thanks
Happy Socializing.. ;)
Dharmendra.
I am using Spring MVC project in the server to provide APIs to access data from both mobile-app and web-app.
Done research on security with Oauth 2.0 and thought Authorization code flow is suitable for both app's mentioned above, but little confusion on that. Can anyone tell which flow is best suitable for this type of scenario?
info:I need to implement Oauth 2.0 in server-side(Spring MVC project deployed in AWS).
If you are implementing your own authorization server and you already handle your consumerDB, I don't think you need an authorization code grant type of oAuth2. You can use Client Credential or ROPC. Authorization code is used when the log in is handled by a 3rd party (auth server).
There are 4 grant types in oAuth2 which is meant for different scenarios.. Refer : Securing an existing API with our own solution