oauth 2.0 - jhipster oauth2 client secret -

-

i've been experimenting jhipster. i've configured app work oauth2. purpose have client secret in application.yml

according several articles have found on topic, client secret should kept secret @ times. example, check https://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

the client secret must kept confidential. if deployed app cannot keep secret confidential, such javascript or native apps, secret not used.

i've noticed though generated auth.oauth2.service.js contains secret in plain text:

        return {              login: function(credentials) {                  var data = "username=" + credentials.username + "&password="                      + credentials.password + "&grant_type=password&scope=read%20write&" +                      "client_secret=mysecretoauthsecret&client_id=myapp";                  return $http.post('oauth/token', data, {                      headers: {                          "content-type": "application/x-www-form-urlencoded",                          "accept": "application/json",                          "authorization": "basic " + base64.encode("myapp" + ':' + "mysecretoauthsecret")                      }                  }).success(function (response) {                      var expiredat = new date();                      expiredat.setseconds(expiredat.getseconds() + response.expires_in);                      response.expires_at = expiredat.gettime();                      localstorageservice.set('token', response);                      return response;                  });              },

i understand little bit harder find in minified javascript, looking 'client_secret' rewarded quickly.

am missing something? or jhipster oauth implementation unsafe?

thanks, andy

since js client jhipster's can't keep client-secret "secret", doesn't make sense use client-secret @ all. oauth2 resource owner password credentials grant flow jhipster uses trusted clients--which client side of jhipster is. allows skip normal "authorize" endpoint , go directly "token" endpoint tokens user credentials. if spring authorization server (as) defines client-secret, you'll need pass secret along client js. however, if remove secret definition in-memory client setup in (e.g. comment out line in oauth2serverconfiguration.java), can leave out altogether in js (see below)

return {     login: function(credentials) {        var data = "username=" + credentials.username + "&password=" + credentials.password + "&grant_type=password&scope=read%20write&";        return $http.post('oauth/token', data, {           headers: {              "content-type": "application/x-www-form-urlencoded",              "accept": "application/json",              "authorization": "basic " + base64.encode("myapp" + ':' + "")           }        }).success(function (response) {           var expiredat = new date();           expiredat.setseconds(expiredat.getseconds() + response.expires_in);           response.expires_at = expiredat.gettime();           localstorageservice.set('token', response);           return response;        });     },

after removing client-secret, don't think app safer feels bit cleaner , honest--in you're acknowledging using js-only client, can safe. js , native clients, implicit flow typically used , doesn't bother client-secret. it's simplified more robust authorization code grant flow fact js or native client can't keep secret.

anyway, jhipster shouldn't have client-secret in js source don't believe it's doing harm (since alternative have blank client-secret isn't more secure). you're not unsafe (as spec allows kind of thing) you'd safer using authorization code flow (which require little work in jhipster implementation) or have light server proxy add client-secret request "token" endpoint rather js directly. server server communication (e.g. via proxy) keeps secrets away view of browser.

see post nice discussion of pitfalls of js-only client oauth2: http://alexbilbie.com/2014/11/oauth-and-javascript/

here's example of using oauth2 angularjs , spring on proxy: https://spring.io/blog/2015/02/03/sso-with-oauth2-angular-js-and-spring-security-part-v


Comments

Post a Comment

Popular posts from this blog

php - Admin SDK -- get information about the group -

-
please, help. https://www.googleapis.com/admin/directory/v1/groups/106274944935548788283 sending request obtain information group id 1062 ... here link method in google https://developers.google.com/admin-sdk/directory/v1/guides/manage-groups#get_group in response error - 401 unauthorized. oauth authenticate via user has received rights necessary request, included in console admin sdk. authorization successful, there token. not can not understand. if not hard - response. requested information: file_get_contents("https://www.googleapis.com/admin/directory/v1/groups/1062749‌​44935548788283?key=aizasybruhiomdf9nlx9lx3imxwesqmcrnhh4l4"); id group - "106274944935548788283" key applications in case - "aizasybruhiomdf9nlx9lx3imxwesqmcrnhh4l4" error: failed open stream: http request failed! http/1.0 401 unauthorized
Read more

dns - How To Use Custom Nameserver On Free Cloudflare? -

-
i have problem. i own small hosting company. trying add cloudflare site free cdn. problem when sign have change nameservers nameservers. have nameserver dns set through godaddy, how add them cloudflare? main site uses company's nameservers whenever add them site goes offline. when go cloudflare's dns records click on dropdown, click ns, , there's 2 boxes 'name' , 'nameserver'. mean input 'ns1' 'name' , 'ns1.domain.com' 'nameserver'? input server's ip addresses? is there way of accomplishing free version of cloudflare? that impossible. option have custom name servers available on business , enterprise. see https://www.cloudflare.com/plans . also, might mistaken. must change name servers in domain register settings, not on cloudflare.
Read more

Python Error - TypeError: input expected at most 1 arguments, got 3 -

-
can explain why can not use your_name in goal variable? my_name = "bryson" my_age = 29 your_name = input ("what name? ") your_age = input ("what age? ") print ("my name is", my_name,", , am", my_age, "years old.") print ("your name is", your_name,", , are", your_age,".") print("thank buying book,", your_name,"!") goal = input ("what favorite part of book,", your_name, "?") print("awesome!") the error is: goal = input ("what favorite part of book,", your_name, "?") typeerror: input expected @ 1 arguments, got 3 you got error because in fact gave 3 arguments input function when expecting 1 (namely, string prompt). in input ("what favorite part of book,", your_name, "?") ---------------------------------------- , ---------, --- the underlined parts comma-separated arguments: st...
Read more