php - oauth2 get access token via db by supplied client id/secret for trusted 3rd party client -

-

i'm using "lucadegasperi/oauth2-server-laravel".

i'm making api endpoint 3rd party trusted client , using client_credentials grant.

now thing access tokens tend expire, instead of giving 3rd party user access token, supply them client id/secret.

on side following when curl request...

select      a.id,             expire_time         oauth_clients c  left join   oauth_sessions s on s.client_id = c.id  left join   oauth_access_tokens on a.session_id = s.id        c.id = 'asfasasf'              , c.secret =  'asfasfasfasf'  order    s.id desc  limit       1;

... above pretty checks if there access token , expire time relating client id/secret. i'd pretty generate new 1 if 1 didn't exist or if expired. couple lines down, curl on side endpoint after given access_token on side without them worrying doing it.

i've tested , works, kind of dodgy/bad do?

tldr;

  1. 3rd party client - goes /api/endpoint client id/secret
  2. my server side (checks access token in db relating client id/secret)
  3. generates if not exists or expired use ...
  4. 3rd party client endpoint api continues use db selected access token
  5. works

is bad flow?

all did take out step convenience.

a lot of people use oauth2 library or else wrote , of course wouldn't work because don't have standard oauth2 system anymore.

you've reused 1 token else uses client app , not convinced that's thing. tokens expiring security issues, if steals token, can invalidate , stop access or expires , that's it. of course don't have issue you're not passing tokens through.

this means you're breaking other oauth2 flows, many systems have refresh token, that's gone well. guess simplifies client's life quite bit can't have oauth2 system anymore, because well, don't.

the clients ones need deal tokens , it's job decide how store them , when things expire. wouldn't need worry it, since store client tokens on side.

one other thing consider shifted security concerns side. responsible clients security. if gets access database can impersonate clients forever more without or client knowing it. point of view having tokens in database bad idea , security flaw when client has no control on it.


Comments

Post a Comment

Popular posts from this blog

mysql - Dreamhost PyCharm Django Python 3 Launching a Site -

-
i'm new python/django , created simple django website using pycharm. site works fine running on computer, i'm lost when comes taking site onto host (dreamhost). i'm able upload files correct directories fine, , believe made correct changes database on mysql. i'm not sure go there though. right now, page shows files rather site. direction appreciated. much! you should not run django application using python manage.py runserver on production. how run application on django depends on server (apache, nginx) want use for apache - https://docs.djangoproject.com/en/1.10/howto/deployment/wsgi/modwsgi/ for nginx - https://www.digitalocean.com/community/tutorials/how-to-serve-django-applications-with-uwsgi-and-nginx-on-ubuntu-14-04 the mysql database should, of course, exist , have correct credentials. or, if choose use sqlite, file should accessible, readable , writable www-user (may different depending on linux distributive)
Read more

java - Sending SMS with SMSLib and Web Services -

-
i have made rest web service send smss using hsdpa usb modem. using smslib in java send smss. every time web service invoked, create gateway start service, send message, stop service , remove gateway. takes 20 seconds each message. found starting service takes lot of time. part of code use send smss service.getinstance().addgateway(gateway); service.getinstance().startservice(); outboundmessage msg = new outboundmessage(phonenumber, message); if (service.getinstance().sendmessage(msg)) { result = "message sent successfully!!"; } else { result = "could not send message."; } service.getinstance().stopservice(); service.getinstance().removegateway(gateway);//remove gateway is there way can start service once if not started , use send message when ever web service invoked? why dont group messages , send in 1 go? service.getinstance().sendmessages(messa...
Read more

java - How to resolve The method toString() in the type Object is not applicable for the arguments (InputStream) -

-
i'm trying read json file local machine. @path("/") public class jsonparsing { file f = new file("file.json"); if (f.exists()){ inputstream = new fileinputstream("file.json"); string jsontxt = ioutils.tostring(is); system.out.println(jsontxt); jsonobject json = new jsonobject(jsontxt); string = json.getstring("1000"); system.out.println(a); } } but i'm getting error in tostring() method. possible read .txt file containing json object local machine? if possible, how done? firstly: whenever ask question- add imports well. secondly: yes possible read .txt file containing json object. steps: 1. add maven dependency in pom.xml - <dependency> <groupid>com.googlecode.json-simple</groupid> <artifactid>json-simple</artifactid> <version>1.1.1</version> </dependency> or add jar of dependency. 2.import...
Read more