Skip to main content

NoSQL Databases

Post a Comment

SSD_OAuth 2.0

This blog post will give a brief description about OAuth 2.0

What is OAuth 2.0?

   OAuth 2.0 is a (Open Authorization) is a framework that give users the ability to grant access to their information stored in one place, from another place. To understand what is OAuth first we need to understand the main roles, grant types and the types of tokens.

Roles

   Roles are used to define and separate entities which are involved in a request. Mainly there are four roles.

  1. The Client - The client is the third party application which tries t access the user account. This can be either a website or a application.

  2. The Resource Server - Resource server is the place which stores the user's information

  3. The Authorization Server - This is the server which approves or denies the request. The authorization server produces the access token to the client.

  4. The Resource Owner - Resource owner grants access to the requested data.

Grant Types

    Grant types are the flow of obtaining the access token. A grant represents the user's permission to access their token. Mainly there are four main grant types.

  1. Authorization Code Grant Type - Used by the web applications which are executing on the       server using the PKCE (Proof Key for Code Exchange) method.

  2. Implicit Grant Type - Used by the application which are built using JavaScript or single page applications which are executing on the user's browser.

  3. Resource Owner Password Credentials - Used by the applications which highly trusted. 

  4. Client Credentials - Resource owner grants access to the requested data.


Access Tokens

    The access tokens represents the authorization to access the Resource Owner's information which are on the resource server. On an access token there is an expiry time. Its because any malicious actions are getting limited by doing so.



Generic OAuth flow


Refresh Tokens

    Refresh tokens are a special kind of token that can be used to obtain a renewed access token that allows accessing a protected resource at any time. We can request new access tokens until the refresh tokens are blacklisted.

Sample Application

   Below I have implemented a sample application using java to demonstrate the process of a OAuth 2.0.

   The sample application will be retrieving the details such as name, email, image, age from the google once a user login to the application using the google credentials. In order to build the below application we need to obtain the secret key and the API key from google developers console

  After login to the console click on the dashboard and the create a new project.


After creating the project select the relevant project from the drop down list and click on the 'credentials'. On the dropdown select 'OAuth client ID'


On the next window select the 'configure consent screen' and provide the required data.



     Then you will obtain the 'client ID' and the 'secret key' which are needed to create the sample application. 

I have used the java and jsp technologies to built the sample app. The grant type which I have used is 'Authorization Code Grant Type'.


The steps are as follows:

A) The client redirects the user-agent (usually a browser) to the login page of the authorization server.

B) The authorization server presents the login page to the resource owner via the user-agent (if the resource owner is not already authenticated to the authorization server).

C/D) The resource owner supplies credentials to the login page. This establishes the identity of the resource owner (authentication).

E) The authorization server requests access to resource-owner data on behalf of the client

F/G) The resource owner grants the client authorization to access resource owner data.

H/I) The authorization server redirects the user-agent to the callback URL supplied by the client in the call (which must match the redirect_uri supplied when the client registered with the authorization server). Once the user-agent has been redirected, the user will see the authorization code, which will be in the form of a URL parameter.

J) The client uses the authorization code, along with its client credentials, to request an access token (with an optional refresh token) from the authorization server.

K) The authorization server returns an access token to the client, along with the optional refresh token. The authorization token can now be used to request access to protected resources from the resource server.

GoogleAuthenticator.java













































Comments

Post a Comment

Popular posts from this blog

NoSQL Databases

NoSQL Databases: Breaking Free from Traditional Tables Hey there, fellow developers! If you've been working with traditional SQL databases and wondering if there's another way to handle data, you're in the right place. Today, we're diving into the world of NoSQL databases – what they are, why they exist, and how to get started with MongoDB. What Exactly is NoSQL? Let's clear up a common misconception first: NoSQL doesn't mean "No SQL" – it actually stands for "Not Only SQL." Think of it as an umbrella term for databases that don't follow the traditional relational database model. Remember those rigid tables with rows and columns you've been working with? NoSQL databases take a different approach. They're designed to handle unstructured or semi-structured data, scale horizontally across multiple servers, and adapt to changing requirements without major schema overhauls. Why Would You Choose NoSQL Over SQL? Great quest...
Post a Comment
Read more

SSD

Cross Site Request Forgery             Cross-Site Request Forgery (CSRF) is an assault that powers an end client to execute undesirable activities on a web application in which they're at present verified. CSRF assaults particularly target state-evolving demands, not robbery of information, since the assailant has no real way to see the reaction to the produced demand. With a little help of social designing, (for example, sending a connection through email or talk), an attacker may trap the clients of a web application into executing activities of the assailant's picking. On the off chance that the injured individual is a typical client, a fruitful CSRF assault can compel the client to perform state changing solicitations like exchanging reserves, changing their email address, ect. On the off chance that the unfortunate casualty is a managerial record,CSRF can compromise the entire web application. What is CSRF and how it works ?     A...
2 comments
Read more