Sample OAuth protocal base servers and client

this application was created by spring boot. it has 3 major component those are authorization server, resource server and client-server. each component should have unique tomcat instance to running itself.

  • Client-Application: this application is running on localhost:9999 port. it has 3 classes, which are in main/java directory. those classes are App.java, AppController.java and AppRestController.java also, the client application has index.html file and some other clients site languages file within the resource/static file. App.java is main class for this client application. AppConroller class sets paths for each file. last class is AppRestController. it will do OAuth follows.
  • Authorization server: it is running on localhost:8081 and also it has 3 classes which are AuthorizationServer.java, OAuthConfig.java and SecurityConfig.java. 1st one is main class it uses to run the application. another one contains OAuth protocol functions. the last one defines the security aspect of each path.
  • Resource server: it is running on localhost:8082. this also has three classes those are  ResourceServer.java, User.java and UserData.java. this application does not have any database connections so user informations store into the UserData class with list format. User.java class maintain the user information and ResourceServer.java class is the main class of this server.

How this work?
1st we have to start up each server like this.
the path shows, where I store the server on my computer.

then you will get the client application when you visit this link (localhost:9999). that client app has a button called login with OAuth2.0. if you click that button, you will redirect to the Authorization server is Authorization endpoint.

that Authorization server promotes the resource owner login page 
after provides the username and password, authorization server will provide user consent page. that user consent page will ask permission of the resource owner for giving the client app.
if you authorized, authorization server provides Authorization code to the client's redirection endpoint. after that client makes the request for Authorization server's token endpoint with an Authorization code. then authorization code will provide the access token to the client server. then client makes resource request for the resource server with an access token. before providing the resource, resource server validates the access token with the Authorization server help. if validation succeeds, the resource server will send the resources to the client.

HOW TO GET RESOURCES FROM RESOURCE SERVER WITHOUT CLIENT APP
STEP1
we have to make authorization code request to the authorization server. that request should be below format 
"AuthorizationServerUrl + ResponseType + Clientid + RedirectionUrl + scope"(it must be get request)


sampleUrl:"http://localhost:8081/auth/oauth/authorize?response_type=code&client_id=1000123456&redirect_url=http://localhost:9999/oauth/access?key=value&scope=user_read%20user_write"

resource owner after permit the user consent page we will get the authorization code in redirectionUrl. below image shows this.

STEP2
make a access token request to the authorization server. that request should be POST request because it carries cilentID and clientSecret in the header(like this "clientID:clientSecret") and also requests body has clientID, redirectionUrl, grantType and authorization code. user ID and SECRET are given by authorization server when the client was registering. also HTTP header must be base64 encoded.

sample header 

sample body

the HTTP respone might be like this


STEP3
make the resource request to the resource server. that HTTP GET request header should have token type and value.
sample request

sample response 
this response should be a XML value.

you can get the source code from this link.

IF YOU HAVE ANY DOUBT ABOUT OAUTH PROTOCOL PLEASE CHECK THOSE LINKS. LINK1 LINK2

Comments

Popular posts from this blog

How to do simple brute force attack with burp suite

Install android studio on the parrot os

PoC video of How to Hack Gmail and Bitcoin Wallet using SS7 flaw