authentication – Does django-oauth-toolkit handle pkce with oath2?

I am trying to implement oauth2 to my django app. I tried to use django-oauth-toolkit. I think their documentation is outdated and could not find any mention of pkce.

Also, I could not find any example or blog post from the internet. If my understanding is correct i have to generate code_verifier, and code_challenger first. Then I have to append those in request as a parameter. Then django-oauth-toolkit will do the rest. Am I right?

Is there even django+oauth2+pkce successfully integrated

rest – Should I return user data in an authentication endpoint using JWT?

Yes/No.

End points are functions. From this perspective it doesn’t matter what they do as long as the client is aware that this is what will happen, and is happy to deal with the output/outcomes.

So if you write the only client and you have a sequence of six operations that are called in a row, it might make sense to collapse them down into a single call that does it all.

But if you don’t write the only client, then there is a good chance that such complex endpoints will make life harder for them. It would be like trying to get a paper and having to verify that you have medical insurance. Its better to have smaller concise operations to allow these other clients to pick and choose how and when.

A middle ground is to offer a small variety of common chains by opt in.

  • /auth -> just the JWT token
  • /auth?include=user -> JWT token + user details please

As for REST, then yes it matters a lot.

The two graces of REST are that the server doesn’t have to keep connection state, and that intermediaries can cache the result to distribute to their audience to reduce overall load on the server.

JWT tokens don’t fit in this model. You don’t want them cached, you don’t want them shared.

Other data though might be perfectly fine to cache. Perhaps not confidential user data, but if those details were public user information it would be fine.

Mixing the two types eliminates one of the benefits from a REST system. Not the end of the world, but if you are trying to get the scalability it is an anti-pattern.

How to configure Azure SAML authentication for Rapid7 InsightVM / nexpose

I’m trying to use Azure AD SAML for authenticating to Rapid7 InsightVM (Nexpose)

I have the Enterprise Application registered in AAD, with the EntityID provided from the InsightVM configuration. The Azure configuration has been set to sign SAML responses and queries.

On InsightVM, I have the SAML Auth enabled, and have pasted in the metadata downloaded from Azure. I have created a new user with the username and email address corresponding to my Azure principal, and set the SAML auth method for it. I then restarted the insightvm console.

My problems are –

  • First, there seems to be no ‘SAML Login’ button on the InsightVM login page,
  • Secondly, when I try to test the login using the Azure SAML, I get the message The SAML credentials are invalid. Please contact your System Administrator.

The log files(set to DEBUG level) only show (Thread: http-nio-443-exec-1=/saml/SSO) Validation of protocol message signature succeeded, message type: {urn:oasis:names:tc:SAML:2.0:protocol}Response in nsc.log. Nothing in auth.log.

It is unclear why the login is being rejected.

Prior to creating the user in the database, auth.log would show this (email address changed for privacy):

2020-11-09T00:13:15 (WARN) (Thread: http-nio-443-exec-7=/data/user/login) (User ID: me@company.com) Unable to determine login module for user, defaulting to XML.
2020-11-09T00:13:15 (INFO) (Thread: http-nio-443-exec-7=/data/user/login) (Principal: me@company.com) (Cause: Credentials are not valid.) Authentication attempt failed.

Once the user with SAML auth and the correct userid was added, this stopped appearing, but the login was still rejected with the same error message.

Has anyone managed to make this work? What might I be doing wrong here?

authentication – Can’t connect to postgresql database with SSL using GSSAPI

With postgresql 12.4, I’ve got this in pg_hba.conf:

hostssl all all 192.168.0.0 255.255.0.0 gss map=myrealm

but whenever I try to connect with:

psql 'postgresql://hostname/database?sslmode=require'

I get

2020-11-26 16:03:37.934 GMT (9585) FATAL:  no pg_hba.conf entry for host "192.168.215.220", user "username", database "database", SSL off

If I replace hostssl with host I can connect (with GSSAPI).

How do I get psql to connect with SSL? I have ssl = on in my postgresql.conf and I have valid server.crt and server.key in the PGDATA directory.

Thanks

authentication – Received Google 2FA Code via SMS from two unknown phone numbers

I recently encountered a strange incident regarding the 2FA of my Google Account.

The user Dunois has described a very similar occurance in this post: Functional Google 2FA code (via SMS) received from a random (but in use) mobile phone number

My experience is a bit different, so i made a new post instead of replying to his original post.

The other day, i set up a 2FA for the Google-Workspace-Account that i use at work. I (foolishly) chose the SMS option, and entered my phone number. The code that I received didn’t come from the usual phone number simply marked as “Google”, but from what appeared to be a regular phone number from the UK (+447907180…, apparently an o2 number). Also it didn’t come with the usual message (“G-###### is your…), it simply had six digits in it, with no further message.

I didn’t use the code, because it just freaked me out a bit. Instead i requested another code, this time receiving a message from the usual “Google”-number. I didn’t switch websites, i literally clicked the same button twice, receiving messages from two different numbers. I can also rule out falling for a spoofed website, since i’ve navigated to my account settings from my Gmail, which i have saved as a bookmark in my browser.

Unfortunately, I deleted the message before i made a screenshot.

The next day, I tried to reproduce the same thing with my private Google-Account, which already had prompts as a 2FA-Option activated. When i switched it to SMS, the same thing happened again, this time i took a screenshot. https://i.stack.imgur.com/kEHRM.png

This time the code came from a german number (I live in Germany), but had the same format as the last one. Again though, i didn’t enter the code.
On both accounts i haven’t been able to receive another message from the two numbers since. Every time i request a new code, it will come from the old “Google” number. Friends, that tried it for themselves, were getting the regular messages as well.

My Google Account shows no suspicius activity, i am not missing any data, nor have i been locked out of either my accounts.

By now, i called both numbers, the german one seems to be active, but goes straight to voicemail. The british one is apparently unknown by my provider T Mobile.

So my question is: Do i have to worry about my account? And if not, what is going on here then? If it is a scam of some sort, where’s the scam? Could this be some strange glitch on Googles side? Has Google just used some third party 2FA service provider to send me the message? And if so, why would they settle for a company that make their messages look like strange phishing attempts?

authorization – Is oauth client credentials flow safer than basic authentication with username and password?

Assuming that both travel over the latest version of TLS, why should I use client credentials?

The obvious answer is:

  1. The access token will expire at some point
  2. The client id and secret will travel only once over the wire
  3. We can also use a refresh token, further strengthening the security

I argue that we could also make the username/password travel only once and share a session token that will too expire quite easily.

So in this scenario, is the refresh token the only reason to use it?

SharePoint Online Active Authentication with Two Factor Authentication

Is there a way to make the implementation suggested by Vitaly Lyamin, working with Two Factor Authentication?

https://docs.microsoft.com/it-it/archive/blogs/sharepointdevelopersupport/sharepoint-online-active-authentication

I have a working implementation of the SharePoint Online Active Authentication suggested by Vitaly Lyamin. The customer activated the Two Factor Authentication on the whole domain and it stopped working. Is there a way to obtain the SPOIDCRL cookie in this context?

authentication – how to authenticate for Project online using Java with password credentials?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

authentication – Does this official “Enforce MFA” AWS policy make any sense?

At https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/ the AWS officially recommends to have this policy

{

            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": (
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:ListVirtualMFADevices",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice",
                "iam:ListAccountAliases",
                "iam:ListUsers",
                "iam:ListSSHPublicKeys",
                "iam:ListAccessKeys",
                "iam:ListServiceSpecificCredentials",
                "iam:ListMFADevices",
                "iam:GetAccountSummary",
                "sts:GetSessionToken"
            ),
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
}

which presumably is supposed to enforce MFA requirement for the account.

But to me having "iam:DeleteVirtualMFADevice" makes it not very useful.

2FA to me is a second measure to protect authentication flow: you must know not only a password, but also a 2FA device.

Now with this policy – it allows to remove a virtual mfa as long as you have a valid access token.

And "iam:DeleteVirtualMFADevice" cannot be removed from there: if one removes it – then the aws console mfa setup page is broken (it says the MFA already exists, even if it wasn’t set up yet).

Am I missing something or is it a security theatre happening here?

security – Does disabling the prompt to enable two-factor authentication on an iOS device disable future prompts from appearing?

I was recently working with an iPhone user who noticed that since updating to iOS 14, they were being prompted to set up two-factor authentication on their Apple ID. They temporarily dismissed the prompt by navigating to Settings, tapping the “Two-Factor Authentication” option and selecting “Not Now” – but out of interest, will this prompt re-appear – or does choosing this option disable all future prompts from appearing on that device (or Apple ID)?