I am writing a webservice client which runs from the command line and accesses a service which uses Oauth2.
I seem to be getting the Oauth token correctly, and the first request to the webservice recognizes the token. However the response is a 303 redirect (I have set CURLOPT_FOLLOWLOCATION => true) however the subsequent page says that I have supplied no authentication token.
Currently I am passing the oauth token by setting a header for the curl handle:
"Authorization: OAuth2 $oauth"
I suspect that the header is not being included in subsequent requests.
I tried setting CURLOPT_UNRESTRICTED_AUTH => true, to no avail (but according to the manual, that persists a username and password across redirects - not the authentication header).
The webservice allows for oauth tokens to be sent in an authentication header or in the URL (but not as a cookie). Setting the token in the URL returns the same redirect (i.e. without the token in the URL) hence I can't use this method with CURLOPT_FOLLOWLOCATION.
(the service does not allow for oauth tokens sent in cookies, PHP version is 5.6)
Having discovered that lots of other bad things are happening on the Websense proxy I was connecting via (caching content known to be expired, caching POST responses!) I tried bypassing it altogether and all the problems vanished.
Related
I have already created an api using php slim framework. But I have an issue with securing my api. I want to access only api for the authenticated users only.
I have already added user login to my front end angular project. That is fine. But when the someone directly calls the api endpoint its show the result related to that endpoint.
For example. I have the following endpoint.
slimapi/customers/view
This endpoint shows all the data in the customer's table.
When someone types this URL in the browser. it shows all data related to that api endpoint. but I want to show some customers message when someone tries to access my api endpoint without using front end application.
You can Manage JWT Token
when client sends you login request and if login request and credential matched then you give the client a token. Then After every request, you check the token is it valid then you give the access.
just see the documentation of JWT
https://github.com/tuupola/slim-jwt-auth
You could use the OpenID Connect protocol (based on OAuth 2 and JSON Web Tokens​).
But this would maybe an overkill for the most scenarios, because a JWT would only makes sense if you have to scale the "session" over multiple servers and/or load balancers in the back-end infrastructure. Also a simple logout is not possible with JWT based tokens. If you start to manage JWT blacklists on the server-side, the API will not be stateless anymore.
I think a very long API-Token within the HTTP header, e.g. a UUID, would be secure and good enough in the most cases.
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
Syntax:
Authorization: <type> <credentials>
Basic Auth
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
Token based
Authorization: Bearer eyJhbGciOiJIUzI1NiIXVCJ9...TJVA95OrM7E20RMHrHDcEfxjoYZgeFONFh7HgQ
UUID as Token
Authorization: Bearer bb79dfb5-17fd-4ebc-acd5-548e308e5f9a
Also make sure, that all API request are SSL (HTTPS) encrypted.
PS: If you just want secure your API for a web application, a classic Session with Cookies is also good enough and very secure.
So I am trying to implement Google Login in my application. On the client side I have an android App and a web app which interact with the restful API server in PHP (Cartalyst Sentinel 2.0 for authentication).
I am facing multiple issues.
REDIRECT URI
//setting up google api client
$client = new Google_Client();
$client->setClientId($CLIENT_ID_WEB);
$client->setClientSecret($CLIENT_SECRET_WEB);
$client->setRedirectUri($redirectUri);
$client->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/plus.me'));
To instantiate the client I need to provide redirect Uri. Now in the case of the client being webApp there seems to be no issue as I am providing the same redirect URI at the client and server end. But when it comes to android there is no REDIRECT URI. I read somewhere that 'postmessage' as redirect uri works but didn't for me. Without the redirect URI the client throws error of "invalid json token"
Any help on this ?
cartalyst_sentinel cookie as null in the requests from web client.
There seemes to be no issue in case of normal login(api.domain.xyz/login) through credentials. But when at the server end I login the client from a different route(api.domain.xyz/blabla/google/login) the value for the cartalyst_sentinel cookie goes null even though the set cookie headers were sent as response headers.
Set-Cookie header being sent(There are two, which worries me but it works this way as well in case of native login)
The cookie is becoming null in the requests which follow after login
I have read a lot by now about these issues and have tried n number of methods but none seem to be working.
There were only two things that seemed a bit valid.
The case of redirect URI can be sorted out by instantiating the google api client with config file(google json or developer key maybe).
The case of missing cookie is due to cross domain cookies or maybe due to login being done through a nested route(sounds silly I know, but found somewhere in google).
Any help appreciated.
I have an Angular app making $http requests to a PHP server. Once a valid login request has been submitted to the server, PHP creates a JWT and
sets the token cookie using PHP's setcookie() function with the httponly flag set to true. This flag allows only the server to read the cookie. On each subsequent Angular $http request, the cookie is validated by PHP using $_COOKIE.
My question is would setting the cookie in PHP for only the server to read be safe enough from CSRF or would I need to have Angular create an additional XSRF token to be sent on each request to be evaluated as well?
I read the following Stormpath article but got a little lost on why he was setting a xsrfToken in the JWT payload. My guess was to have Angular create an XSRF token to match against.
Thanks for any advice/input.
CSRF attacks work by exploiting the fact that your authentication cookie is sent by the browser to the server automatically with each request. Normally, a JWT isn't passed to the server using a cookie, it's instead passed in the authentication header of your http request (it may be stored in a cookie on the client side but the cookie isn't used to pass the JWT to the server). Since you need to set the authentication header for each request, a CSRF attack cannot authenticate its malicious request since the browser isn't automatically sending an authentication cookie with each request. This is why JWTs help prevent CSRF attacks.
That said, if you store your JWT in a cookie and transfer the cookie back and forth, extracting the token to check authorization policies, then you are just as susceptible to CSRF attaks as standard cookie authentication. In this case you can add anti-forgery tokens to your requests to ensure that any HTTP requests that your server receives have come directly from your website.
I am currently learning about OAuth2, and I am slightly confused about one part of it. Does the OAuth2 server compare the domain in the JWT with the domain in the request header?
What prevents someone from ripping a bearer token out of a JS app and then using it to make fraudulent API requests? Even if HTTPS is used, the token sent back from OAuth2 still has to be stored before it can be used in subsequent requests, thus making it vulnerable. What am I missing?
Edit: what if I create an oauth2 token from a non-browser client and there is no domain name to match against?
Nothing prevents it from being used. That's why you store it safely or you don't store it at all.
So, I'm trying to use PHP Http sockets to execute a rest action on a distant server.
My goal is to have my PHP script automatically execute various actions that I usually perform when browsing "manually".
The distant website is an e-commerce oriented portal (no name provided) and connection is through HTTPS (I think that may be the problem here).
[There is no hacking here, just automation!]
I manage to execute several actions with my script like logging in to the website using my username and password, adding items to my cart etc.
Using Firebug I found that the action triggered for confirming order is /createOrder, but when I try to validate my order using my script with my session cookies I get a 401 Unauthorized error (detailed below)
So I tried several times to access this action with CURL using my usual username and password but I never manage to get access.
How is it possible that I could access it by browsing manually but not with my script? Is there a way to make it work?
Response headers include:
Server: Apache
X-Cnection: close
Content-Length: 1518
WWW-Authenticate: Basic realm="WebLogic Server"
X-Powered-By: Servlet/2.5 JSP/2.1t
"The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11."
Problem solved.
It was a cookie issue.
I was not sending the token cookie correctly.