Skip to main content

OAuth Authorization

OAuth is a framework for access delegation. What it does is giving access to a website or a web application to get the information on another website or web application.

 This is how the OAuth works

 1. When the user don't have account, user asks the application to login with third-party services like Facebook/LinkedIn

 2. The application asks the user get permission from Facebook/ third-party services.   

 3. User ask third-party application to give permission for the application.

 4. Third-party application give authorization code for the application to get access to resources.  

 5. Using the authorization code user get the token from the third-party application. 

 6. By using the token application get information needed. 

 7. Now the user is login with the application as a valid user .

Register the application


To register visit to https://developers.facebook.com/ and login to it using your Facebook email and password. The home page is shown in Figure 01.

                                                             Figure 01
Then go to the My Apps list ,create new app and get the app ID and the secret key.







Implementation

While we implementing the code we should wants to start the session and then copy the app Id and the app secret key.




After that we will implement code for the login page. Here we will get the authorization from the Facebook. When we login with the Facebook it will require permission. If the permission is granted app will get the access token.







Then create the 'fbcallback.php' to send request to the resource server of Facebook with access token. If the permission is given the resource server returns the information to the app.




When we get the permission we can get access what we want



If the authorization success the we can go through the application

Comments

Post a Comment

Popular posts from this blog

Cross-site Request Forgery protection in web applications via Synchronizer Token

What is cross-site request forgery (CSRF)? Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently  authenticated. CSRF attacks specifically target state-changing requests,  not theft of data, since the attacker has no way to see the response to the forged request. We can avoid these kind of attack (CSRF) by two ways 1. Synchronizer Tokens 2. Double submitted cookies In this case, we are considering about Synchronize Tokens.  When we login, there will be a random number generated and stored on both the client side and server side. So when the attacker creates the code, he wont be knowing the token value. So he can not create a code with the correct token value. Anyhow, if the victim clicks the link, that will not be harmful. because the  token verification will fail. For the first step we want to create the session in the client side (index.php). Then we w...
Post a Comment
Read more

CSRF protection using double submitted cookies

In Synchronize Token method the client and the server both should generate the same token value. The server has to do what client does. So it will be a heavy load to the server,Therefore we are using double submitted cookies method. If we need to use double submitted cookies, the javascript should run in in the cookie. So HTTP Flag should be off. In here we are sending the same cookie (that means our session cookie) through HTTP body and the HTTP header. So the server will validate if the cookie coming from the body and the header are same or not and accept the request or deny. In the client side (index.php) we create the session and store it in the cookie.After that create a token and store it in a new cookie.                                                                      Figure 1 ...
Post a Comment
Read more