Thursday, July 12, 2018

Testing OAuth2 (Refresh Tokens) Locally

Recently, I have been trying to develop a tool that involves the use of OAuth2 and here I try to explain the steps I have taken to make it work locally on my laptop. I am particularly interested in obtaining refresh tokens so I would follow the path related to it..

I employ Authlib for the OAuth2 server and follow its documentation to build the client. The OAuth2 server documentation is here and the client documentation is here1. Since we are interested in getting refresh tokens, we need to follow the Authorization_Code flow of OAuth2 (see here). Now, we get into the details. First of all, since we want to test the OAuth2 server locally and Authlib requires HTTPS connection to Token server2, we need to make sure that the client (make it browser, Python code or curl) to the Token server has the relevant certificates and trusts in place for the local machine. I will first create a self-signed certificate for my machine (localhost) and add it to relevant certificate store. I am testing everything in Python so I will go through that path for the store as the requests module of Python uses its own certificates instead of the operating system level certificates. So if you have the certificates already installed to the operating system for the localhost (127.0.0.1) that may not work. I followed this quick list of openssl commands to generate CSR (Certificate Signing Request) and a signed X509 certificate with my own key, as follows:

- Create a Certificate request:
openssl req -out CSR.csr -key ~/.ssh/id_rsa -new

- Create a certificate with the given key and CSR:
openssl x509 -signkey ~/.ssh/id_rsa -in CSR.csr -req -days 365 -out mycert.crt

Then adding the generated certificate to certifi's (Python module) certificate store as given here. Note that the code in this link adds the certificate without the comments (it literally opens the certificate store file of Python/certifi and adds it) but no worries it works..

Once the certificate issue is sorted, we can now focus on the OAuth2 server setup, client registration and test the OAuth2 access and refresh tokens. The setup is straightforward:
- Just grab the example OAuth2 server code from here
- Even though it has been recently added to the repo, make sure the app.py file contains the flag for refresh token (i.e. 'OAUTH2_REFRESH_TOKEN_GENERATOR': True).

Note here that we are running the https (and thus certificate issues above), we do not care about the variable for disabling https.

Client registration
The client registration follows the steps the example OAuth2 server code example above. Here a couple of important things are :
- Make sure to add "authorization_code" (Authorization code flow) to allowed grant types
- Make sure to add "code" to allowed response types.


Obtaining Refresh Tokens
As mentioned authlib requires the Authorization code flow of Oauth2 in order issue refresh tokens. Just a quick note here on refresh tokens: Refresh tokens are usually long-lived and are used to obtain short-lived access tokens. Some OAuth2 implementations/proposals issue refresh tokens every time an access token is issued. Some others issue only when requested and some others do not support at all. Now coming back to Authorization code flow where an OAuth2 client first requests an authorization code and then uses it to obtain an access and refresh token.  Here is a piece of code taken from authlib's client example page :

client_id = '...'
client_secret = '...'
scope = '...'
session = OAuth2Session(client_id, client_secret, scope=scope)
authorize_url = 'https://127.0.0.1:5000/oauth/authorize'
uri, state = session.authorization_url(authorize_url)

Since we are just testing locally we, the user who would normally be forwarded directed to the link in the "uri" variable, need to open the link and give consent for the the resource referred by the scope. Then the OAuth2 server forwards us to the link that has been given during the client registration with an authorization code and a state parameters. Apparently, authlib can extract the code value from a given url so just do the following as given in the above link

session = OAuth2Session(client_id, client_secret, scope=scope)
urlset = 'https://127.0.0.1:5000/?code=..&state=....'
access_token_url = 'https://127.0.0.1:5000/oauth/token'
token = session.fetch_access_token(access_token_url,authorization_response=urlset)

That's it!!


Ps:
1: Authlib supports also OAuth1, so be careful not to follow the wrong documentation.
2: The documentation suggests that setting an environment variable should allow it to work without HTTPS but I couldn't make it work, let me know if you do :)

Tuesday, March 6, 2018

On the particularities of brain - body connection

I have been reading a lot about the brain and its workings recently.  It fascinates me how this organ that is 1/50 [1] of our body consumes 25% of our energy and has a neural network with connections more than the number of stars in the galaxy.

What is more interesting for me these days are the behavioural associations between brain or more specifically memory, and the body. Kahneman [2] discusses multiple experiments about this where he shows that the certain memory connections in our brains can be enforced by certain physical activity and the vice versa. For instance thinking about old age (i.e. related concepts) makes us walk slow and doing a physical activity associated with old age makes us recognize words related to old age better.

Then if you look at this TED talk [3] from neuroscientist Wendy Suzuki, this is shown clearly. In fact she switches her research area to connection between physical activity (exercise) and our mental well-being (in all senses). She basically shows that with a personalized physical training we can improve our brain's functionality and prevent the development of brain related diseases in the long-term...

So, what are you waiting for, go and do some physical exercise :))

Stay tuned...  

Refs:
[1] https://en.wikipedia.org/wiki/Brain-to-body_mass_ratio
[2] Thinking, Fast and Slow,  By Daniel Kahneman, 2011
[3] https://www.ted.com/talks/wendy_suzuki_the_brain_changing_benefits_of_exercise#t-734351

Saturday, October 14, 2017

Asymmetric (Encryption vs Signing), Digital Signatures and so on...

There is a duality between the use of PKI when performing asymmetric encryption and signing. As very nicely summarized here, encryption (enables one way private communication in case there is only one pair in place) uses the public key to encrypt and private key (there is only one holder) to decrypt, and signing uses the private key to encrypt and public key to decrypt. The former provides more of confidentiality while the latter provides authenticity (origin confirmation), integrity (no modification introduced) and non-repudiation (prevent denial cases : only receiver can open with sender's public key and only from the sender must come because of her private key.

This tutorial is a good one for XML signatures and this tutorial is good to JSON Web signature...
There is also this tutorial on the use of keytool (from Java runtime) to manage keys, certificates, keystores etc...

Stay tuned...

Monday, October 2, 2017

Content Negotiation in Spring Web Applications

Here are some links about the issues related to the use of RequestMapping (PostMapping, GetMapping etc) : Stack Exchange Link

The main issue is when a client (e.g. through Apache HTTP client) sends requests to a servlet with the relevant parameters (here be careful where parameter is posted: in the header or the body, see here and here) the servlet will receive/process the parameters according to a pre-agreement...

Spring framework provides useful functionality and annotations (e.g. PostMapping) to automate/shorten all content negotiation related stuff. See here.

Tuesday, August 15, 2017

Spring MVC Apps with Eclipse and Maven

If you are not a long time developer of Java servlet applications with Spring tools, it is exhausting to go around and spot what is necessary for developing a dynamic Web application with Eclipse by using Spring MVC. Of course if your application development goes hand to hand with maven development/configuration, it will be great.
Here is a great starter for this (note : based on crunchify tutorial):
- You first create a dynamic Web project in Eclipse (see here
- Then you convert the project to Maven project from (right click) Configure/Convert to Maven Project
- Create a Spring configuration file (usually yourproject-servlet.xml). Here you can also use annotation driven view resolving rather than a URL-based. To do that just add "" to your *-servlet.xml file...
- Generate a deployment a descriptor (web.xml) and configure this file. As it is with other servlets this file provides the mapping (among other info) between URLs and servlets. Spring maps the URLs to DispatcherServlet. If you are using Eclipse and started your project as a dynamic Web project, sometimes this file is not generated. But fear not! You can generate a stub file by right clicking your project and choosing Java EE Tools --> Generate Deployment Descriptor Stub ...
- Define your Spring controllers.

- Compiling through Maven : Run as / Maven Build
- Running through Eclipse (make sure you installed Tomcat as a server in Eclipse): Run as / Run on Server.

Good luck.

Ps: This here is also a pretty good reference. 


Monday, July 24, 2017

Bitmasking

This is a good post about bitmasking (efficient way of representing subsets of a set) :
https://www.quora.com/What-is-bitmasking-What-kind-of-problems-can-be-solved-using-it

Tuesday, December 10, 2013

Hashing Strings with md5 from Linux console

Sometimes, I needed to generate md5 hash of a given string from Linux console. Here is how this can done: echo -n "your text" | md5sum

Stay tuned...