OAuth API

Node js OAuth Resource server

In this blog post, I am going to show how to create a resource server API. First, we need to understand what is it resource server API and how it works. A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token.

By getting into this diagram you can identify it correctly.

You can create your own API server or you can download wso2 identity server.http://wso2.com/products/identity-server/.In this case I have created my own identity server and resource server in single API with using node.js.In order to run that you have to install node.js on your machine. https://nodejs.org/en/download/ To retrieve information or resources we use endpoint.

• As you can see OAuth grant type I have given is client_credentials. This has to be mentioned in the request body when you try to get the access token from the authorization server.
• This app runs on port 4000. You can give any port number there.
• There are two endpoints I have created in this. One to get the access token which is "/oauth/token" and the other one is to get resources which is "/profile". 
• I have hardcoded one value which is the name ("pamoda") and this comes as a JSON object as requested resources.

• Here I have created a user first (username = admin, password = admin) and all the functions and configuration that handle requests from the client are written in this file.

• Open your CMD and run this

Let's run this resource server using node.js.

• To make all get and post requests to the resource server we use Postman Chrome Add-on. You can use other similar products such as RESTclient Mozilla Firefox Add-on for this.
• First of all We have to make a POST request to get the access token from the authorization server.
• For that, we have to send the authorization key in the header.

Authorization : Bearer XXXXXXXXXXXXXXX

And also we have to mention the content type in the header.

Content-Type : application/x-www-form-urlencoded

• Then we have to mention these 3 parameters in the body.

username=admin

password=admin

grant_type=client_credentials

• The URL should be the endpoint that gives us the access token.

http://localhost:3000/oauth/token

• When we send this http://localhost:3000/oauth/token we get the response which has access token in it. This access token also has an expiration time.

• Then we have to make a GET request to retrieve the resources we need.

• Now our URL is different because we have to call a different endpoint to get these resources which is

           "http://localhost:3000/profile".

• We do not have to mention anything in the body.
• In the request header, we should send the access token we got in the previous step.

           Authorization: Bearer XXXXXXXXXXXXXXX

• Make sure that the access token is not expired. Otherwise, you will get an error message saying that it has expired.
• When you sent this request you get a response that contains the resources we specified in the code.

         {"name":"pamoda","id":"set"}

Herer is the code you can download it from the Github 

   https://github.com/pamoda-perera/oauth-api

Thank you!

B/R

CSRF Token with Cookies

Cross-site Request Forgery protection in web applications via Double Submit Cookies Patterns

In the previous blog post, I have discussed how to achieve CSRF attack protection using synchronized token pattern method. In this post, I am going to discuss how to enable CSRF protection using double-submitted cookie pattern.

What is the double-submitted cookie?

When a user authenticates to a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user’s machine separate from the session ID. The server does not have to save this value in any way, that's why this pattern is also called Stateless CSRF Defense.

In double-submitted cookie pattern, two cookies (for the session and for the CSRF token) are stored in the browser.
In our previous method, we stored CSRF token values on the server side (text file). But here we don't do it.

Implementation of "Double Submit Cookie" Pattern

• Once this page gets loaded on the web browser user sees a simple login form. Username and password are hard coded in the code.

result.php

As you can see two cookies are stored on the browser. These cookies have 1 year expiration time and they are accessible from anywhere.

Javascript function is written to retrieve the csrf value from the csrf cookie set on the browser. Then DOM will be modified with the value that is retrieved from the csrf cookie.

home.php
 

csrf cookie value and the html hidden field csrf value are sent to the checkToken function as parameters.

token.php

This function returns true if the csrf token values get matched.


This is the second way of protecting your website from csrf attacks with the help of double submitted cookie pattern.

You can download this implementation from my git gub account

https://github.com/pamoda-perera/csrf-token-with-cookies

CSRF Token

Cross-site Request Forgery Protection in web applications via Synchronizer Token Patterns

What is Cross_Site Request Forgery Protection (CSRF)?

This is a kind of attack and type of a malicious exploit of a website. We also name this attack as the one-click attack or session riding. This forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This attack is mainly focusing on state-changing request, not theft data.

As an example, if the user 'A' wants to transfer the 200$ to the bank 'B'.He needs to send a request to the bank 'B' and bank will send the response by authenticating user 'A'.There is an attacker he/she needs to fraud this money form user 'A'.what the attacker can do is he will create a malicious web link and send it to the user by forcing to click that link . while the user clicks the link for the transferring purpose but the thing is attacker was transferring the money to his account. To avoid such kind of stateful attacks we need to enable CSRF protection in our web pages.

In this blog post, we are going present how to mitigate such kind of attack by enabling CSRF token validation.

We have a simple login page to provide username and password which is checked with the hardcoded values. Once the authenticated user login to the system it will create a session and also generate the CSRF token on the server side. When login successful, token will be stored in a hidden field on the web page. After authenticating his or her identity to the website user wants to continue his or her activity by submitting whatever the action. At this time stored token in the hidden field will check with stored CSRF token value in server side. If the stored token value in the hidden field wrong the system will redirect to the login page by avoiding your response. Otherwise, it will continue the process by assuming an authenticated user has logged in to that session.

Let's see this source code....

• This is the file structure and you can clone it from the GitHub and run it on localhost.

• This is the index.php file we create it as for our login page. You can enter your username and password. If the entered values are correct it will redirect to the result.php file.

• This result.php file store the values which are passing through that text fields.If the user is valid one it will redirect to the home.php file.If not it will redirect again to the login page.

• Here we come to token.php to execute generateToken function.That is the function of the CSRF token generating place. The token will be generated by random.

• This is the file which checks tokenCheck.php

• When the valid user login it will redirect to the home.php file.

• Finally all the user login and token are valid it will redirect to the profile.php

• If the token is valid it shows the following message and if not show the error message by redirecting.

This video will help you to understand how it works :)

Here is the link to clone sourse code through the GitHub

https://github.com/pamoda-perera/csrf-token.git