Bonnes Pratiques Web & Cloud
58.8K views | +4 today
Follow
Bonnes Pratiques Web & Cloud
Internet
Administration cloud et développement web
Curated by Mickael Ruau
Your new post is loading...
Your new post is loading...

Popular Tags

Current selected tag: 'oAuth'. Clear
oAuth 12
authentication 2
JAMstack 2
securite 2
GMail 1
Google 1
Google Apps Scripts 1
nodeJs 1
PHP 1
React (framework javascript & DOM virtuel) 1
test 1
Vue.js 1
Scooped by Mickael Ruau
Scoop.it!

Building a Photo Uploader: A Practical Introduction to the JAMSTACK with Vue.js

From dev.to - December 28, 2021 1:53 AM

In this tutorial, you will learn how to build JAMSTACK apps with a feature to upload images. You will use Cloudinary to power the upload functionality and Auth0 for authentication. This can come in handy when building photo albums, e-commerce applications, and business websites.

For a brief introduction to Vue.js, you can check out this article, Getting Started with Vue JS: The Progressive JavaScript Framework.

Prerequisites

  1. A machine with Node.js and npm) installed.

  2. Basic familiarity with JavaScript, and ES6 and Vue.js).

  3. A text editor. E.g. Sublime Text, Visual Studio Code, Atom, etc.

  4. A Cloudinary account. You can sign up for a Cloudinary account for free.

  5. An Auth0 account. You may create a free Auth0 account here.

more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

OAuth2 –

OAuth2 – | Bonnes Pratiques Web & Cloud | Scoop.it
From collonvillethomas.wordpress.com - September 1, 2021 11:30 AM
Aujourd'hui on change un peu de domaine pour s’intéresser à la sécurisation d'API avec OAuth2 [oauth2]. OAuth2 est un protocole d’autorisation issu de OAuth [3] implémentant la RFC 6749 [2] et permettant, via une délégation de la gestion des autorisations, la sécurisation de la consommation d'API entre application. Pour comprendre OAuth2 il faut avant tout…
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

2 failles de sécurité (en cours) avec fuite de données chez pôle emploi

2 failles de sécurité (en cours) avec fuite de données chez pôle emploi | Bonnes Pratiques Web & Cloud | Scoop.it
From www.mathieupassenaud.fr - September 16, 2019 8:11 AM

Le protocole d'authentification "implicit flow" déconseillé par l'Internet Engineering Task Force (IETF) expose les utilisateurs à un vol de leurs données personnelles et éventuellement de leur session sur le site de pôle emploi. Voir le point 5. L'utilisation du implicit flow

L'utilisation du dit protocole a eu un effet de bord assez gênant. Dans le cadre de la transmission de données normalement anonymisées à des fins statistiques, les données personnelles des candidats (Nom, Prénom, Adresse email, identifiant) sont transmises à des sociétés tierces privées sans aucun chiffrage ni filtre quelqu'il soit, sur des serveurs de la société Amazon.

Mickael Ruau's insight:

 

L'implicit flow est définit dans la RFC :
https://tools.ietf.org/html/rfc6749#section-4.2

Le principe réside dans la transmission des données d'authentification (appelés "tokens") directement dans l'adresse (URL) et non dans des headers HTTP ou dans le corps d'une requête.

Il s'avère que cette méthode expose les données d'authentification :
https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926

Dans les "best current practice", il est spécifié :
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13
"The implicit grant (response type "token") and other response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage and access token replay … In order to avoid these issues, Clients SHOULD NOT use the implicit grant and any other response type causing the authorization server to issue an access token in the authorization response."

En lieu et place d'implicit flow, il faut utiliser authorization_code flow.

more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

googlesamples/apps-script-oauth2

googlesamples/apps-script-oauth2 | Bonnes Pratiques Web & Cloud | Scoop.it
From github.com - February 22, 2017 4:27 AM

OAuth2 for Apps Script is a library for Google Apps Script that provides the ability to create and authorize OAuth2 tokens as well as refresh them when they expire. This library uses Apps Script's new StateTokenBuilder and /usercallbackendpoint to handle the redirects.

 

 

Mickael Ruau's insight:

This library is already published as an Apps Script, making it easy to include in your project. To add it to your script, do the following in the Apps Script code editor:

  1. Click on the menu item "Resources > Libraries..."
  2. In the "Find a Library" text box, enter the script ID 1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDFand click the "Select" button.
  3. Choose a version in the dropdown box (usually best to pick the latest version).
  4. Click the "Save" button.

Alternatively, you can copy and paste the files in the /dist directory directly into your script project.

more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

PHP Authorization with JWT (JSON Web Tokens)

PHP Authorization with JWT (JSON Web Tokens) | Bonnes Pratiques Web & Cloud | Scoop.it
From www.sitepoint.com - October 20, 2015 5:01 AM
Miguel Ibarra explains what JWTs are and how they can be used instead of sessions to authenticate your users via API calls
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

Démonstration d'une attaque par login social - Korben

Démonstration d'une attaque par login social - Korben | Bonnes Pratiques Web & Cloud | Scoop.it
From korben.info - December 9, 2014 7:21 AM
Voici une petite attaque qui utilise les protocoles d'authentification de Google / Facebook / Twitter / Linkedin et j'en passe. En effet, quand vous souhaitez vous inscrire sur un site web, vous pouvez soit vous créer un compte de zéro, soit vous identifier avec votre login Facebook ou Twitter ou j'en passe.

Seulement, voilà, avec certains sites mal conçus, un hacker peut tout simplement accéder à votre compte sans avoir besoin de grandes compétences techniques. Voici ce qu'ont découvert les chercheurs de l'équipe d'IBM X-Force.
Mickael Ruau's insight:

D'un côté, il y a vous... Vous avez, par exemple, un compte sur Slashdot (comme dans la démo ci-dessous) ou un autre site et vous êtes bien inscrit avec votre email toto@gmail.com. De l'autre côté, il y a l'affreux script kiddy qui se rend sur Linkedin, site sur lequel vous n'êtes pas inscrit. Il se crée alors un compte avec VOTRE adresse email (toto@gmail.com). Linkedin vous envoie un email de confirmation, mais même si l'email n'est pas vérifié, le hacker est bien authentifié sous Linkedin.

L'attaquant peut alors se rendre sur Slashdot, et demander à se logger avec le compte Linkedin qu'il a créé avec votre email. Et paf, il accède à votre compte sans avoir besoin de quoi que ce soit.

more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

Build a full-stack Jamstack Application

From dev.to - December 27, 2021 1:51 AM
Tech Stack

Jamstack is unique because it allows you to integrate several technologies to create a full-stack application. You will use the following technologies to create this scrapbook:

Next.js is a React framework that extends the amazing powers of React for creating multiple page apps easily. Without using any backend frameworks like Express, you may use Next.js and its serverless functions to develop your app's frontend and backend.
Chakra-UI provides a plethora of stylish and accessible react components for styling your web application.
You'll be using Airtable as a database solution for this application. Airtable is a spreadsheet/database hybrid with a fantastic API for integrating it into your application.
Cloudinary is a cloud media management platform where you'll upload photos of your scrapbook.
Auth0 enables you to integrate a user authentication system into your app. It uses OAuth 2.0 and provides a secure OAuth layer for your app.

Auth0 and Cloudinary both offer free plans. You can create an account and use it for free to develop this application.
Mickael Ruau's insight:

Table of Contents

  • Getting Started
  • Connecting Airtable to your app
  • Integrate Airtable with Next.js Serverless functions
  • Uploading files to Cloudinary
  • Create React Context for Posts
  • Setup Authentication with Auth0
  • Next Steps
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

OAuth like a boss en Javascript

OAuth like a boss en Javascript | Bonnes Pratiques Web & Cloud | Scoop.it
From www.lafermeduweb.net - November 10, 2020 3:48 AM
Once And For All
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

A complete guide to Oauth2 protocol

A complete guide to Oauth2 protocol | Bonnes Pratiques Web & Cloud | Scoop.it
From milapneupane.com.np - September 4, 2019 3:19 AM
Oauth2 protocol was designed as an industry pattern to solve the delegation problem. Oauth2 protocol provides a secure resource delegation between services
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

Google OAuth 2.0 Playground

Google OAuth 2.0 Playground | Bonnes Pratiques Web & Cloud | Scoop.it
From bshaffer.github.io - May 19, 2016 8:38 AM

Test your server with Google OAuth 2.0 Playground

Once you’ve set up your server on the wild internet, you’ll want to check that it works with an independent client. One way to do this is using the Google OAuth 2.0 Playground.

Mickael Ruau's insight:

Assuming that you’ve set up an authorize controller, you can test it out as follows:

  1. Navigate to the Playground using the above link.

  2. Click the settings button in the top-right corner.

  3. Select “Server-side” for “OAuth flow”, and “Custom” for “OAuth endpoints”.

  4. In the Authorization endpoint, enter the URL of your Authorize Controller (such as https://domain.com/authorize.php).

  5. In the Token endpoint, enter the URL of your Token Controller (such as https://domain.com/token.php).

  6. Select “Authorization header w/ Bearer prefix” for the Access token location.

  7. Enter the client ID and secret (testclient and testpass if using the previous documentation example).

  8. Enter “basic” in the text box on the left and click “Authorize APIs”. You should be taken to your website where you can authorize the request, after which you should be returned to the Playground.

  9. Click “Exchange authorization code for tokens” to receive a token (you’ll need to do this within 30 seconds).

  10. The response on the right should show the access token. Enter the URL of your resource page (such as https://domain.com/resource.php).

  11. Add any optional parameters you want, and click “Send the request”. If you’ve used the same code as previously you should see the same response:

Json
{"success":true,"message":"You accessed my APIs!"}
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

Removing the Pain of User Authorization with Sentinel

Removing the Pain of User Authorization with Sentinel | Bonnes Pratiques Web & Cloud | Scoop.it
From www.sitepoint.com - October 17, 2015 4:59 AM
Sentinel - a package to make implementing roles and authorization via ACL much easier than it used to be. Learn from Younes in this in-depth tutorial!
more...
No comment yet.
Sign up to comment
Scooped by Mickael Ruau
Scoop.it!

Initiating the Google+ Sign-In flow with JavaScript

From developers.google.com - November 26, 2014 9:12 AM
Initiating the Google+ Sign-In flow with JavaScript
Step 1: Create a client ID and client secret
Step 2: Include the Google+ script on your page
Step 3: Choose your OAuth scopes
Step 4: Initiate the sign-in flow with JavaScript
Step 5: Handle the sign in
more...
No comment yet.
Sign up to comment
About Follow us Resources Terms Mobile Features
Facebook
X
LinkedIn