Contains the materials used for the blog post about OAuth2 and OpenID Connect.
This script was created to automate as much tests as possible.
They are defined in this file.
Mind map overview mode:
💬 Mind map image is generated using this script and is automatically updated at each push on the main branch.
Lab is based on Keycloak in Docker flavor.
Default port 8080 is used.
Base flow init URL is
http://localhost:8080/auth/realms/demo/protocol/openid-connect/auth?client_id=demo&redirect_uri=http://localhost:9500/App.html&state=114d367d-b319-44d0-a8cc-9a08c4a0bffd&response_mode=fragment&response_type=code&scope=openid profile api internal-api&nonce=78a3069c-74e8-4f5b-856a-9d890caabc06&prompt=consent
- Admin console is here with creds
admin/admin. - Realm is named demo.
- An OAuth/OIDC Client is present with name demo.
- An sample web client, via the App.html file, is provided (this one is defined into the lab configuration).
The lab configuration export is stored in file Realm-Export.json, so, you can import it via the Import feature. Use this screen to create a realm.
This video show the steps to setup the Keycloak lab described below.
- Open a shell and run the following set of commands to start a web server:
$ python --version
Python 3.7.5
$ cd [REPO_CLONE_FOLDER]
$ python -m http.server 9500
Serving HTTP on 0.0.0.0 port 9500 (http://0.0.0.0:9500/) ...- Open a shell and run the following set of commands to start a fresh Keycloak instance:
$ docker --version
Docker version 20.10.7, build f0df350
$ docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:14.0.0
...
[org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990-
Click here and import the lab full demo configuration to setup the Keycloak instance.
-
Create a user via this menu: Just fill the Username field and click on the Save button.
-
Set the password to the user via the tab Credentials (disable the Temporary flag).
-
Open this url in a browser to access to the demo Web Client..
-
Lab is ready to be used 😎
- https://courses.pragmaticwebsecurity.com/courses/introduction-to-oauth-2-0-and-openid-connect
- https://courses.pragmaticwebsecurity.com/bundles/mastering-oauth-oidc
- https://infosecwriteups.com/oauth-2-0-hacking-simplified-part-2-vulnerabilities-and-mitigation-d01dd6d5fa2c
- https://maxfieldchen.com/posts/2020-05-17-penetration-testers-guide-oauth-2.html
- https://portswigger.net/research/hidden-oauth-attack-vectors
- https://portswigger.net/web-security/oauth
- https://connect2id.com/learn