Oauth 2.O grant types

-

whats is Oauth?
it is a protocol which is helped to provide user's resource to a third application with user authorization also it allows, resource owner can be customized 3rd party application resource scope. so it allows a resource to 3rd party client based on users authorization. if you need more information about this protocol you can read this "Sample OAuth protocol base servers and client".  there are 4 type of actors in this protocol such as resource owner(user), 3rd party application, authorization server and resource server. we already discussed OAuth follow and other important stuff in our previous posts. so in this post, we are going to discuss OAuth grant types.

OAuth has 5 grant type those are authorization code grant type, implicit grant type, resource owner credential grant type, client credential grant type and refresh token grant type. however, we only consider up to four type of grant as main grant types because most of the systems don't use refresh token also it always uses one of other OAuth grant type. now let's discuss each and every grant type.



  • Authorization code grant.


  1. when a user tries to share his resource with 3rd party application the entire flow will start. if a user would like to share information with 3rd party client app, it will give an information about this resource owner(user) request to the authorization server.
  2. if that resource owner is already logged in, the authorization server will send a user consent page to the resource owner otherwise it enforces to log in.
  3. user customize or accepts 3rd party client requested scope and give this information to the authorization server.
  4. once authorization server received authorization approval from the resource owner it will be issued authorization code to the client app.
  5. then the client app will send the authorization code in HTTP POST request.
  6. it will be received an access token in HTTP response. 
  7. then client app going to ask resource from resource server by using the access token. 
  8. finally, the resource server will be issued resource to the third-party client.
    (note: there is a token validation procedure before the resource issue)
this grant type uses for the server-side web application like facebook funny application.
  • Implicit grant type

  1. the client application makes a resource request to the authorization server
  2. authorization server will check user session. if it not active, I will enforce to log in.
  3. once the user successfully logged in, authorization server will be issued an access token.
  4. now client application can access service from API by using token.
this grant type is using for client-side scripting languages (javascript) based website. browser plugin, google maps are real-world example of this grant type.



  • Client credential grant type

  1. the client provides his credentials to authenticate.
  2. the server will send an access token to the client after the authentication.
  3. then the client can access API by using server issued token.
this is using for the server to server communication it means, the client also must be a server. it does not exchange individual personal data. weather information and sports score cades updates are based on this grant type.

  • Resource owner credentials (password) grant.




    this grant type is mostly used by mobile applications. let's take Facebook as an example. facebook has a mobile application also it has web version but we use the same login credential for two different platforms to access our facebook account but how is it possible? because facebook app was developed by Facebook it means. both server and mobile app came from the same vendor. so, this kinked app we called as trusted app. hence if we use our Facebook credentials to log in through a mobile app, the mobile app will send the user credential to the authorization server. then it will validate credentials and give access token to the app. finally trusted mobile app will be communicating with API by using access token.

    • Refresh token
    if one of above-mentioned token was expired client app sent refresh token to authorization server and get access token again. but this time authorization server does not ask permission to the client owner. because he was issued the permission earlier. so client app can access the user resource until the user revokes the permission. however, most of the well know social media do not use this refresh token due to the security reason.




    Comments

    Post a Comment

    Popular posts from this blog

    Install android studio on the parrot os

    -
    Image
    parrot OS is based on Linux environment so we have to download Linux version of android studio. if you want Linux version android studio just click here . after the download is completed you will get the zip file of the android studio. so you need to unzip it first. then you can see several files within the unzipped folder. figure 1 represents the sample output. Figure 1 then go to bin folder which is stored in the unzipped folder. after opening the bin folder, you can see studio.sh shell script. if you execute that, the android studio will be running on your PC's.  Note:- you have to give execute permission to studio.sh for the current user before you execute studio.sh script. (sudo chmod u+x studio.sh) Figure 2 but we will be doing like this. it's annoying, so now we are going to the terminal command that is helped to us to access android studio by using terminal commands.  move your unzipped file to "/root" from Downloads. then go to "/usr
    Read more

    How to do simple brute force attack with burp suite

    -
    Image
    What is brute force attack? brute force is a kind of password based attack. normally attacker checks each and every possible combination until reaching the expected output. so an attacker should check the huge amount of data but the normal human cannot do this kind of things. that's why we must move on some predefine tools to do this kind of attacks. work through this is the sample login page. we are going to attack this page and get the login credentials.(note: this is a basic login form it does not have any prevention mechanism for brute force attack.) let's try any value on this form and capture the data packet for analyzing. after analyzed we can say these data packets have username and password, which we entered previously. so we have to forward this data packet to intruder tab (right click and select intruder option). now  go to the intruder and mark the target variables which are carrying username and password. The below figure shows that. Note:
    Read more

    PoC video of How to Hack Gmail and Bitcoin Wallet using SS7 flaw

    -
    Image
    A long time ago we published a report about how someone can hack WhatsApp with the SS7 by default. The standard SS7 exists for eons now with corrections, but GSM and telecom companies do not bother or trouble to repair their infrastructure against the standard. Now a Cyber ​​Security Company called Positive Technologies has released a video detail as anyone in any Gmail account can hack with a name and a phone number with the standard SS7. After the abduction of the Gmail account of the victim, the investigators then tried to steal a Bitcoin wallet with the same SS7 defect. Positive researchers sent their video to Thomas Fox-Brewster, an investigating reporter for Forbes, as well as details about hacking. What is the SS7 error? The vulnerability is found in the signaling system 7 or SS7, the technology used by telecommunication operators where the high-security message system and telephone calls depend. SS7 is a set of telephone signaling protocols developed in 1975 that make i
    Read more