GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → koenbuyens → Vulnerable-OAuth-2.0-Applications

koenbuyens / Vulnerable-OAuth-2.0-Applications

Licence: other
vulnerable OAuth 2.0 applications: understand the security implications of your OAuth 2.0 decisions.

Programming Languages

javascript
184084 projects - #8 most used programming language
CSS
56736 projects
HTML
75241 projects
Dockerfile
14818 projects

Labels

securityoauthjwt-tokenrefresh-tokenpassword-grantauthorization-code-grantclient-credentialsresource-owner-grant

Projects that are alternatives of or similar to Vulnerable-OAuth-2.0-Applications

oidc
Easy to use OpenID Connect client and server library written for Go and certified by the OpenID Foundation
Stars: ✭ 475 (+112.05%)
Mutual labels:  oauth, refresh-token
JwtAuthDemo
ASP.NET Core + Angular JWT auth demo; integration tests; login, logout, refresh token, impersonation, authentication, authorization; run on Docker Compose.
Stars: ✭ 278 (+24.11%)
Mutual labels:  jwt-token, refresh-token
oauth2-server
A spec compliant, secure by default PHP OAuth 2.0 Server
Stars: ✭ 6,128 (+2635.71%)
Mutual labels:  oauth
mediastack
All in one Docker Compose media server
Stars: ✭ 42 (-81.25%)
Mutual labels:  oauth
add-to-org
A simple Oauth App to automatically add users to an organization
Stars: ✭ 24 (-89.29%)
Mutual labels:  oauth
login-server
Login and connect accounts with multiple identity providers
Stars: ✭ 28 (-87.5%)
Mutual labels:  oauth
IdentityServer4.PhoneNumberAuth
Sample passwordless phone number authentication using OAuth in ASP.NET Core 2.2
Stars: ✭ 83 (-62.95%)
Mutual labels:  oauth
Twitch
[READ ONLY] Subtree split of the SocialiteProviders/Twitch Provider (see SocialiteProviders/Providers)
Stars: ✭ 20 (-91.07%)
Mutual labels:  oauth
goth fiber
Package goth_fiber provides a simple, clean, and idiomatic way to write authentication packages for fiber framework applications.
Stars: ✭ 26 (-88.39%)
Mutual labels:  oauth
oauthproxy
This is an oauth2 proxy server
Stars: ✭ 32 (-85.71%)
Mutual labels:  oauth
xing-android-sdk
The Official XING API client for Java/Android
Stars: ✭ 33 (-85.27%)
Mutual labels:  oauth
VKontakte
[READ ONLY] Subtree split of the SocialiteProviders/VKontakte Provider (see SocialiteProviders/Providers)
Stars: ✭ 82 (-63.39%)
Mutual labels:  oauth
lumen-oauth2
OAuth2 module for the Lumen PHP framework.
Stars: ✭ 29 (-87.05%)
Mutual labels:  oauth
twauth-web
A simple Python Flask web app that demonstrates the flow of obtaining a Twitter user OAuth access token
Stars: ✭ 65 (-70.98%)
Mutual labels:  oauth
AzureADAuthRazorUiServiceApiCertificate
Azure AD flows using ASP.NET Core and Microsoft.Identity
Stars: ✭ 41 (-81.7%)
Mutual labels:  oauth
socialigniter
This is core install of social igniter application. Please follow the Readme below
Stars: ✭ 78 (-65.18%)
Mutual labels:  oauth
supabase-ui-svelte
Supabase authentication UI for Svelte
Stars: ✭ 83 (-62.95%)
Mutual labels:  oauth
CleanArchitecture-Template
This is a solution template for Clean Architecture and CQRS implementation with ASP.NET Core.
Stars: ✭ 60 (-73.21%)
Mutual labels:  jwt-token
httpx-oauth
Async OAuth client using HTTPX
Stars: ✭ 55 (-75.45%)
Mutual labels:  oauth
phabricator-extensions
Github mirror of "phabricator/extensions" - our actual code is hosted in phabricator
Stars: ✭ 13 (-94.2%)
Mutual labels:  oauth
View All Similar Projects ➔

OAuth 2.0: Security Considerations

TL;DR

We show how to use OAuth 2.0 securely when using a Classic Web Application, a Single Page Application, and a Mobile Application as clients. For each of these clients, we elaborate on the overall design, implement that design, and touch upon common security mistakes. You can exploit these mistakes by deploying the damn vulnerable OAuth 2.0 applications.

Introduction

In this article, we elaborate on common security mistakes that architects and developers make when designing or implementing OAuth 2.0-enabled applications. The article not only describes these mistakes from a theoretical perspective, but also provides a set of working sample applications that contain those mistakes. This serves three purposes:

  1. developers are able to identify a missing security control and learn how to implement it securely.
  2. architects and developers are able to assess the impact of not implementing a security control.
  3. Testers are able to identify the mistakes in a running application.

The article is structured as follows. Section Background introduces the OAuth 2.0 Protocol using a running example. The subsequent sections show how to use OAuth 2.0 when using a Classic Web Application, a Single Page Application, and Mobile Application as clients. For each of these sections, we elaborate on the overall design, implement that design using the MEAN stack, and touch upon common security mistakes. Section Checklists summarizes this article in the form of checklists for architects, developers, and testers. Finally, Section Conclusion concludes.

Note: the mistakes are common across technology stacks; we use the MEAN stack for illustration purposes only.

Running Example and Background

Our canonical running example consists of a web site that enables users to manage pictures, named gallery. This gallery application is similar to flickr.com in the sense that users can upload pictures, share them with friends, and organize those pictures in different albums.

As our gallery application became quite popular, we got requests from various companies to integrate with our gallery application. To that end, we decided to open up the REST API that forms the foundation of our application towards those companies. These companies use the following types of clients:

  • a third-party website that allows users to print the pictures hosted at our gallery site, named photoprint.
  • a third-party mobile application that enables users to upload pictures, named mypics.
  • a first-party mobile application that enables gallery users to upload pictures and change their profile, named mobilegallery.
  • a single-page application displaying a live feed of a posted pictures, named livepics.

As we are concerned about security, users should be able to give those third-party applications permission to access their pictures without providing their username and password to those applications. It seems that the OAuth 2.0 protocol might help achieve our goals.

Our running example consists of a photo gallery API that can be accessed by many applications

OAuth 2.0 is a standard that enables users to give websites access to their data/services at other websites. For instance, a user gives a photo printing website access to her pictures on Flickr. Before performing a deep-dive into the specifics of OAuth 2.0, we introduce some definitions (taken from auth0):

  • Resource Owner: the entity that can grant access to a protected resource. Typically this is the end-user.
  • Client: an application requesting access to a protected resource on behalf of the Resource Owner. This is also called a Relying Party.
  • Resource Server: the server hosting the protected resources. This is the API you want to access, in our case gallery.
  • Authorization Server: the server that authenticates the Resource Owner, and issues access tokens after getting proper authorization. This is also called an identity provider (IdP).
  • User Agent: the agent used by the Resource Owner to interact with the Client, for example a browser or a mobile application.

In OAuth 2.0, the interactions between the user and her browser, the Authorization Server, and the Resource Server can be performed in four different flows.

  1. the authorization code grant: the Client redirects the user (Resource Owner) to an Authorization Server to ask the user whether the Client can access her Resources. After the user confirms, the Client obtains an Authorization Code that the Client can exchange for an Access Token. This Access Token enables the Client to access the Resources of the Resource Owner.
  2. the implicit grant is a simplification of the authorization code grant. The Client obtains the Access Token directly rather than being issued an Authorization Code.
  3. the resource owner password credentials grant enables the Client to obtain an Access Token by using the username and password of the Resource Owner.
  4. the client credentials grant enables the Client to obtain an Access Token by using its own credentials.

Do not worry if you do not understand the flows right away. They are elaborated upon in detail in subsequent sections. What you should remember is that:

  • Clients can obtain Access Tokens via four different flows.
  • Clients use these access tokens to access an API.

An OAuth 2.0 Enabled Application: Architecture, Design, Implementation, and Testing: Common Mistakes

You make many design decisions when architecting an OAuth 2.0 enabled application. Read Architect: Major Design Decisions to understand the security impact of major design decisions, such as the selected OAuth 2.0 grant, the use of refresh tokens, and integrating with third parties.

Once you selected the grants, you need to make various local design decisions as well as implementation decisions.

Conclusion

In this article, we showed how to use OAuth 2.0 securely when using

References

Partially taken from https://oauth.net/2/.

OAuth 2.0 Core

Mobile and Other Devices

Token and Token Management

Other Extensions

Community Resources

Protocols Built on OAuth 2.0

TODOs

  • Photoprint: implement obtaining a profile, authenticating, and storing orders (to illustrate OpenId connect).
  • Gallery: refresh token, support for other grants.
  • Classic Web App: remaining security considerations.
  • Mobile Application: all
  • SPA: all
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].