https://www.rfc-editor.org/rfc/rfc8693
Tuesday, May 14, 2024
Wednesday, May 8, 2024
How an empty S3 bucket can make your aws bill explode
So, if I were to open my terminal now and type:
aws s3 cp ./file.txt s3://your-bucket-name/random_key
I would receive an AccessDenied error, but I would be the one to pay for that request. And I don’t even need an AWS account to do so.
Sunday, April 28, 2024
oAuth2 : Refresh Token Flow
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
This is the flow defined in RFC 6749, 6. Refreshing an Access Token. A client application (a) presents a refresh token to a token endpoint and (b) gets a new access token.
https://software-factotum.medium.com/pkce-public-clients-and-refresh-token-d1faa4ef6965
https://www.youtube.com/watch?v=jcKDsQfBgYY
oAuth2 : Resource Owner Password Credential Flow
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
https://www.youtube.com/watch?v=CGMiOHrOAYQ
This is the flow defined in RFC 6749, 4.3. Resource Owner Password Credentials Grant. A client application (a) makes a token request to a token endpoint and (b) gets an access token. In this flow, a client application accepts a user's ID and password although the primary purpose of OAuth 2.0 is to give limited permissions to a client application WITHOUT revealing the user's credentials to the client application.
oAuth2 : PKCE
Why do we need PKCE ? https://www.youtube.com/watch?v=_zWovo2zv6k
More Details : https://oauth.com/oauth2-servers/pkce/authorization-request/
Note : the malicious App and Legimate App both live in the same environment
https://www.authlete.com/developers/pkce/#2-pkce-authorization-request
PKCE Authorization Request
- 'code_challenge' : computed by applying 'code_challenge_method' to 'code_verifier'
- and optionally with 'code_challenge_method' : can be plain or S256
- AND code_verifier which is a random string of of
[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
and a min of 45 and max of 128 chars
PKCE Authorization Response
PKCE Token Request
Issue Access token
oAuth2 : Implicit Grant
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
https://datatracker.ietf.org/doc/html/rfc6749#section-4.2
https://www.youtube.com/watch?v=fX5U50VGxtg
This is the flow defined in "RFC 6749, 4.2. Implicit Grant". A client application (a) makes an authorization request to an authorization endpoint and (b) gets an access token directly from the authorization endpoint.
oAuth2 : Authorization Code Grant Flow
- OAuth2 is an authorization framework
- There are different authorization flows , depending on the app type (SPA , Server side, mobile, TV, smart devices etc)
OAuth2 = Open Authorization 2.0 (delegated authorization framework)
https://www.youtube.com/watch?v=7D-OU4hZW70
GET {Authorization Endpoint}?response_type=code // - Required&client_id={Client ID} // - Required&redirect_uri={Redirect URI} // - Conditionally required&scope={Scopes} // - Optional&state={Arbitrary String} // - Recommended&code_challenge={Challenge} // - Optional&code_challenge_method={Method} // - OptionalHTTP/1.1HOST: {Authorization Server}
HTTP/1.1 302 FoundLocation: {Redirect URI}?code={Authorization Code} // - Always included&state={Arbitrary String} // - Included if the authorization// request included 'state'.
POST {Token Endpoint} HTTP/1.1Host: {Authorization Server}Content-Type: application/x-www-form-urlencodedgrant_type=authorization_code // - Required&code={Authorization Code} // - Required&redirect_uri={Redirect URI} // - Required if the authorization// request included 'redirect_uri'.&code_verifier={Verifier} // - Required if the authorization// request included// 'code_challenge'.
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-storePragma: no-cache{"access_token": "{Access Token}", // - Always included"token_type": "{Token Type}", // - Always included"expires_in": {Lifetime In Seconds}, // - Optional"refresh_token": "{Refresh Token}", // - Optional"scope": "{Scopes}" // - Mandatory if the granted// scopes differ from the// requested ones.}