oauth
How to get Uri.EscapeDataString to comply with RFC 3986
Having not been able to get Uri.EscapeDataString to take on RFC 3986 behavior, I wrote my own RFC 3986 compliant escaping method. It leverages Uri.EscapeDataString, and then ‘upgrades’ the escaping to RFC 3986 compliance. /// <summary> /// The set of characters that are unreserved in RFC 2396 but are NOT unreserved in RFC 3986. /// … Read more
How to use SHA256-HMAC in python code?
You are not making use of hmac at all in your code. Typical way to use hmac, construct an HMAC object from your key, message and identify the hashing algorithm by passing in its constructor: h = hmac.new( key, my, hashlib.sha256 ) print( h.hexdigest() ) That should output adcb671e8e24572464c31e8f9ffc5f638ab302a0b673f72554d3cff96a692740 for your example data.
Implementing OAuth provider in Java
There are a few Java libraries out there for OAuth. Specifically, I’d have a look at this one. I haven’t used it myself, but there is an example for running an OAuth Service Provider. There’s a list of libraries available on the OAuth website: http://oauth.net/code
OAuth2: What is the difference between the JWT Authorization Grant and Client Credentials Grant with JWT client authentication?
A slightly different perspective on the great answer by Josh C: as it happens both the client authentication and the grant credentials can be expressed as JWTs but the semantics behind them are different. It is about separation of concerns: clients authenticate with a credential that identifies them i.e. they are the so-called subject whereas … Read more
Get IPrincipal from OAuth Bearer Token in OWIN
I found a part of the solution in this blog post: http://leastprivilege.com/2013/10/31/retrieving-bearer-tokens-from-alternative-locations-in-katanaowin/ So I created my own Provider as follows: public class QueryStringOAuthBearerProvider : OAuthBearerAuthenticationProvider { public override Task RequestToken(OAuthRequestTokenContext context) { var value = context.Request.Query.Get(“access_token”); if (!string.IsNullOrEmpty(value)) { context.Token = value; } return Task.FromResult<object>(null); } } Then I needed to add it to my … Read more
How to generate OAuth 2 Client Id and Secret
As section 2.2 of The OAuth 2.0 Authorization Framework says: The authorization server issues the registered client a client identifier — a unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and MUST NOT be used alone for client authentication. … Read more
Refresh token using Omniauth-oauth2 in Rails application
Omniauth doesn’t offer this functionality out of the box so i used the previous answer and another SO answer to write the code in my model User.rb def refresh_token_if_expired if token_expired? response = RestClient.post “#{ENV[‘DOMAIN’]}oauth2/token”, :grant_type => ‘refresh_token’, :refresh_token => self.refresh_token, :client_id => ENV[‘APP_ID’], :client_secret => ENV[‘APP_SECRET’] refreshhash = JSON.parse(response.body) token_will_change! expiresat_will_change! self.token = refreshhash[‘access_token’] … Read more
Too many cookies OpenIdConnect.nonce cause error page “Bad Request – Request Too Long”
It turned out that the root cause was the Ajax call. The problematic flow was 1) OAuth cookie got expired after some time 2) Expiration normally causes redirection the page to login.microsoft.com to refresh the cookie. In this step OAuth framework adds new nonce cookie to the response (every time)! 3) But Ajax doesn’t handle … Read more