OAuth is a widely used open standard for access delegation that allows you to grant third-party applications limited access to your resources without sharing your credentials. OAuth 2.0, the latest version, uses access tokens to authenticate API requests.
Configurations
OAuth's authentication mechanism has the following configurations:
Configuration | Description |
|---|---|
Token Endpoint | It is the URL or endpoint provided by the Authorization Server (the server responsible for issuing access tokens in OAuth) where authorized clients exchange authorization codes, refresh tokens, or other credentials for access tokens. |
Authorization Endpoint | The Authorization Endpoint in OAuth 2.0 is where the user authentication and consent process begins. It enables clients to request access to protected resources while allowing users to control what information they share with third-party applications. |
Callback URL | The Callback URL (Redirect URI) in OAuth 2.0 is the endpoint where the client receives the Authorization Server’s response after the user completes authentication and grants access to resources. |
Client Auth Method | Select from Basic Auth or Request body |
Scope (optional) | The permissions requested by the client. |
Generate the token after you have specified the configurations listed above. You can then add the token as part of a Query Parameter, Header, or Cookie.
Note
The OAuth authentication mechanism does not support testing.
Example
The following are some samples that you can use to configure the OAuth mechanism in the Advanced mode:
Sample 1
import os
import requests
import base64
import hashlib
import urllib.parse
import logging
import threading
from traceable.ast.context import PluginContext, ScanContext
from traceable.ast.testsuite import AttributeList
from traceable.ast.testsuite.assertion import Assertion
from traceable.ast.testsuite.plugin import TestCase
ENV_CLIENT_ID = ""
ENV_CLIENT_SECRET = ""
ENV_TOKEN_ENDPOINT = ""
ENV_SCOPES = ""
def get_access_token(token_url, client_id, client_secret):
response = requests.post(
token_url,
data={"client_id":ENV_CLIENT_ID,"client_secret":ENV_CLIENT_SECRET,"grant_type":"client_credentials","token_endpoint":ENV_TOKEN_ENDPOINT,"client_authentication_method":2,"scope":ENV_SCOPES}
)
return response.json()["access_token"]
def oauth_login_prehook(scanctx: ScanContext, pluginctx: PluginContext, testcase: TestCase, **kwargs) -> list[Assertion]:
if "oauth_access_token_lock" not in scanctx:
scanctx["oauth_access_token_lock"] = threading.Lock()
with scanctx["oauth_access_token_lock"]:
if not scanctx.get("oauth_access_token"):
token = get_access_token(ENV_TOKEN_ENDPOINT, ENV_CLIENT_ID, ENV_CLIENT_SECRET)
scanctx["oauth_access_token"] = token
attributes = testcase.get_attributes()
mutated_port = attributes.get("mutated.net.host.port")[0].value
if mutated_port != 443:
attributes.set("mutated.net.host.port", 443)
mutated_port = attributes.get("mutated.net.host.port")[0].value
attributes.set("mutated.http.request.header.authorization", f'Bearer {scanctx.get("oauth_access_token")}')
print("Applied Bearer Token:", scanctx.get("oauth_access_token"))
return []