I think steps 3 and 4 are not quite right. I’ve edited your example to show how I think the attack works. 1.Mallory visits some client’s website (e.g. https://brilliantphotos.com) and starts the process of authorizing that client to access some service provider using OAuth (e.g. Acebook – as brilliantphotos.com allows its users to post pictures … Read more
Check out this gem https://github.com/applicake/doorkeeper It is for Rails 3, the development it’s early stages though. There’s also an example app that you take a look and see how the API is done. http://doorkeeper-provider.herokuapp.com/
You can set the on_failure proc in the omniauth initializer in an even cleaner fashion: OmniAuth.config.on_failure = UsersController.action(:oauth_failure)
OAuth Client Verification Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google. OAuth Client Verification Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google. Review is not required if you are only using … Read more
The client, in OAuth terminology, is the component that makes requests to the resource server, in your case, the client is the server of a web application (NOT the browser). Therefore, the access token should be stored on the web application server only. It should not be exposed to the browser, and it doesn’t need … Read more
You are correct Google don’t offer a test user API in the same way that Facebook do. I think you have two options: Use “real” Google users as you stated. This can cause issues if Google blocks these accounts or adds extra checks to test if they are real users to not (Phone verification). They … Read more
@EnableAuthorizationServer is adding http security configuration for endpoints like /oauth/token, /oauth/token_key etc at order 0. So what you should do is to define a http security rule for /oauth/token endpoint only for the OPTIONS http method which is at a higher order. Something like this: @Order(-1) @Configuration public class MyWebSecurity extends WebSecurityConfigurerAdapter { @Override protected … Read more
It is possible to use the Google APIs Javascript client library with Drive but you have to be aware that there are some pain points. There are 2 main issues currently, both of which have workarrounds: Authorization First if you have a look closely at how Google Drive auth works you will realize that, after … Read more
Access to location data is restricted to users who have granted you access to their location data at the time that the OAuth token was generated. You have to specifically request access to location data in the scope parameter.