You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@oltu.apache.org by "Tiburtius, Ashwanth [IWD]" <As...@iwd.iowa.gov> on 2015/01/22 17:13:43 UTC
Verifying the authorization server
Hi,
I am using Apache Oltu in our project to authenticate Google, Yahoo and Microsoft users. I have a fundamental question - when a user has authenticated themselves and the authorization server redirects them back to the application using the redirect uri along with a code, from a security perspective, how can we verify that the code came from the respective service - for e.g: Google? Does the authorization server send back certificate or signatures that can be used to verify itself? If so, does Oltu take care of this or is it upto the application to do the verification? Can you provide any help as to how the application should verify the server in case Oltu doesn't do it currently?
Just fyi, in our application, we are only concerned about a successful authentication which is the first step in OAuth process. We do not access any information about the user, so we are not getting into the next steps to get access token etc. at this point. I am not sure if that is an issue.
I would really appreciate your comments/replies. Thank you for your time.
Thanks,
Jude.
Iowa Workforce Development - IT | 1000 E Grand Ave, Des Moines, IA 50319
(515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov<ma...@iwd.iowa.gov>
Re: Verifying the authorization server
Posted by Jasha Joachimsthal <ja...@apache.org>.
That's what the state parameter is for. You generate this value and
keep it in a session. When the user returns to the redirectUri, the
OAuth provider must have returned the state parameter's value. Compare
this with the value in the session. If they don't match, your code
should not continue with the authorization.
See also [1]
Regards,
Jasha
[1] http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
On 22 January 2015 at 17:13, Tiburtius, Ashwanth [IWD]
<As...@iwd.iowa.gov> wrote:
> Hi,
>
>
>
> I am using Apache Oltu in our project to authenticate Google, Yahoo and
> Microsoft users. I have a fundamental question – when a user has
> authenticated themselves and the authorization server redirects them back to
> the application using the redirect uri along with a code, from a security
> perspective, how can we verify that the code came from the respective
> service - for e.g: Google? Does the authorization server send back
> certificate or signatures that can be used to verify itself? If so, does
> Oltu take care of this or is it upto the application to do the verification?
> Can you provide any help as to how the application should verify the server
> in case Oltu doesn’t do it currently?
>
>
>
> Just fyi, in our application, we are only concerned about a successful
> authentication which is the first step in OAuth process. We do not access
> any information about the user, so we are not getting into the next steps to
> get access token etc. at this point. I am not sure if that is an issue.
>
>
>
> I would really appreciate your comments/replies. Thank you for your time.
>
>
>
> Thanks,
>
> Jude.
>
> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319
>
> (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov
>
>
Re: Verifying the authorization server
Posted by Jasha Joachimsthal <ja...@apache.org>.
That's what the state parameter is for. You generate this value and
keep it in a session. When the user returns to the redirectUri, the
OAuth provider must have returned the state parameter's value. Compare
this with the value in the session. If they don't match, your code
should not continue with the authorization.
See also [1]
Regards,
Jasha
[1] http://www.thread-safe.com/2014/05/the-correct-use-of-state-parameter-in.html
On 22 January 2015 at 17:13, Tiburtius, Ashwanth [IWD]
<As...@iwd.iowa.gov> wrote:
> Hi,
>
>
>
> I am using Apache Oltu in our project to authenticate Google, Yahoo and
> Microsoft users. I have a fundamental question – when a user has
> authenticated themselves and the authorization server redirects them back to
> the application using the redirect uri along with a code, from a security
> perspective, how can we verify that the code came from the respective
> service - for e.g: Google? Does the authorization server send back
> certificate or signatures that can be used to verify itself? If so, does
> Oltu take care of this or is it upto the application to do the verification?
> Can you provide any help as to how the application should verify the server
> in case Oltu doesn’t do it currently?
>
>
>
> Just fyi, in our application, we are only concerned about a successful
> authentication which is the first step in OAuth process. We do not access
> any information about the user, so we are not getting into the next steps to
> get access token etc. at this point. I am not sure if that is an issue.
>
>
>
> I would really appreciate your comments/replies. Thank you for your time.
>
>
>
> Thanks,
>
> Jude.
>
> Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA 50319
>
> (515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov
>
>