oauth 2.0 - OAuth2 with Implicit client and csrf protection -


i have api want secure oauth2. did dummy test password grant_type , works. can request tokens, access secured endpoints it, etc. server acts authorization , resource server.

later on read should using implicit grant_type client javascript app.

my client configured so:

@override public void configure(final clientdetailsserviceconfigurer clients) throws exception {// @formatter:off clients     .inmemory().withclient("web")     .redirecturis("http://localhost:3000")     .secret("secret")     .authorizedgranttypes("implicit", "refresh_token").scopes("read", "write")     .accesstokenvalidityseconds(3600).refreshtokenvalidityseconds(2592000); }

if try accessing endpoint this: http://localhost:8080/oauth/authorize?grant_type=implicit&client_id=web&response_type=token&redirect_uri=http%3a%2f%2flocalhost%3a3000

i this:

{   "timestamp": 1464136960414,   "status": 403,   "error": "forbidden",   "message": "expected csrf token not found. has session expired?",   "path": "/oauth/authorize" }

how can have csrf token if it's first time i'm calling api? if (just testing) disable csrf this:

{   "timestamp": 1464136840865,   "status": 403,   "error": "forbidden",   "exception": "org.springframework.security.authentication.insufficientauthenticationexception",   "message": "access denied",   "path": "/oauth/authorize" }

setting client password grant_type i'm able make call , works: http://localhost:8080/oauth/token?grant_type=password&username=test&password=123 , adding authorization basic header client id/secret.

just clarify, idea have unique trusted client. user should input login/password without asking user grant access rights app.

sorry if dumb question. i've been reading can find cannot seem make progress it.

thanks!

edit:

my spring security config:

@configuration public class websecurityconfig extends websecurityconfigureradapter {    @autowired   private mongodbauthenticationprovider authenticationprovider;    @autowired   public void globaluserdetails(final authenticationmanagerbuilder auth) throws exception {     auth.authenticationprovider(authenticationprovider);   }    @override   @bean   public authenticationmanager authenticationmanagerbean() throws exception {     return super.authenticationmanagerbean();   } }

my oauth config:

@configuration @enableauthorizationserver public class oauth2authorizationserverconfig extends     authorizationserverconfigureradapter {    @autowired   @qualifier("authenticationmanagerbean")   private authenticationmanager authenticationmanager;    @override   public void configure(final authorizationserversecurityconfigurer oauthserver) throws exception {         oauthserver.tokenkeyaccess("permitall()").checktokenaccess("isauthenticated()");   }    @override   public void configure(final clientdetailsserviceconfigurer clients) throws exception {     clients     .inmemory().withclient("web")     .redirecturis("http://localhost:3000")     .secret("secret")     .authorizedgranttypes("implicit", "refresh_token").scopes("read", "write")     .accesstokenvalidityseconds(3600).refreshtokenvalidityseconds(2592000);   }    @override   public void configure(authorizationserverendpointsconfigurer endpoints)     throws exception {     endpoints.authenticationmanager(authenticationmanager);   }   }

exception in server:

2016-05-25 19:52:20.744 debug 34968 --- [nio-8080-exec-5] .s.o.p.e.frameworkendpointhandlermapping : looking handler method path /oauth/authorize 2016-05-25 19:52:20.744 debug 34968 --- [nio-8080-exec-5] .s.o.p.e.frameworkendpointhandlermapping : returning handler method [public org.springframework.web.servlet.modelandview org.springframework.security.oauth2.provider.endpoint.authorizationendpoint.authorize(java.util.map<java.lang.string, java.lang.object>,java.util.map<java.lang.string, java.lang.string>,org.springframework.web.bind.support.sessionstatus,java.security.principal)] 2016-05-25 19:52:20.746 debug 34968 --- [nio-8080-exec-5] o.s.s.w.a.exceptiontranslationfilter     : authentication exception occurred; redirecting authentication entry point  org.springframework.security.authentication.insufficientauthenticationexception: user must authenticated spring security before authorization can completed. @     org.springframework.security.oauth2.provider.endpoint.authorizationendpoint.authorize(authorizationendpoint.java:138) ~[spring-security-oauth2-2.0.9.release.jar:na] @ sun.reflect.nativemethodaccessorimpl.invoke0(native method) ~[na:1.8.0_40] @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:62) ~[na:1.8.0_40] ....

when call authorization server implicit grant type have include opaque string value state parameter avoid csrf attacks. so, request url authorization server like:

http://localhost:8080/oauth/authorize?grant_type=implicit&client_id=web&response_type=token&redirect_uri=http%3a%2f%2flocalhost%3a3000&state=123abc

the value mentioned in state parameter echoed in response. compare echoed value initial value confirm there no csrf attack happened.

thank you, soma.


-

Comments

Post a Comment

Popular posts from this blog

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

Image
when using devexpress, see error: devexpress.wpf.grid.infinitegridsizeexception unhandled message="by default, infinite grid height not allowed since grid rows rendered , hence grid work slowly. fix issue, should place grid container give finite height grid, or should manually specify grid's height or maxheight. note can avoid exception setting gridcontrol.allowinfinitegridsize static property true, in case grid run slowly." the problem dxgrid has infinite height. to fix, set height non-infinite. snoop absolutely invaluable this: if "height" xaml element infinite (i.e. 0 or nan ), can set using one of following: option 1: height="{binding path=actualheight, relativesource={relativesource mode=findancestor, ancestortype=uielement}}" option 2: verticalalignment="stretch" option 3: height="auto" hint: use verticalalignment="stretch" if child of grid <rowdefinition height=...
Read more

scala - 'wrong top statement declaration' when using slick in IntelliJ -

Image
i'm porting project scala 2.9 2.10, therefore have use slick instead of scalaquery. i'm using slick 2.1.0 since supports ms access. according this tutorial , upgrade guide changed robs object class , added val robs : why error message wrong top statement declaration , how rid of it? edit: i'm new scala... according this question seems can't put val outside of methods or classes, right? code above directly in packge. right approach slick then? should move code in class or trait? according this changed val robs = tablequery[robs] to object robs extends tablequery(new robs(_)) {} . no warnings or errors anymore. :)
Read more

Laravel Bind Multiple Class to One Contract in The Service Provider -

so trying have eccomerce site handle both paypal , stripe payments. however, not sure how done. this have. class billingprovider extends serviceprovider { /** * bootstrap application services. * * @return void */ public function boot() { // } /** * register application services. * * @return void */ public function register() { $this->app->bind('app\contracts\billinginterface','app\services\billing\paypalbilling'); } } this works fine if need paypal. however, need both paypal , stripe. any idea how can go implementing this? when typehint can either paypal or stripe. public function stripe(request $request, billinginterface $bill){// handle stripe payment.} public function paypal(request $request, billinginterface $bill){// handle paypal payment.} imho, there many ways it. first of all, take contextual binding of service ...
Read more