OAuth2 – Sending a hash of your client_secret when using the client credentials grant instead of the secret

I’m working on an API that I’d like to be accessible internally by other servers as well as devices that I consider both as confidential private clients. Devices are considered private clients because the client_secret is stored in an encrypted area that prevents from unauthorised readout and modification (even though nothing is never bullet proof)

For auth, I’d like to use OAuth2 with the client_credentials grant that seems to be a very good fit for these use cases. However I’m wondering how flexible is the standard regarding sharing the client_secret.

Basically the RFC doesn’t say much about sending your client id / client secret, it just offers an example here: https://tools.ietf.org/html/rfc6749#section-4.4.2 which is very simple by using the following header Authorization Basic: base64(client_id:client_secret)

In my opinion, it could be slightly more secure by computing a hash:

  1. the client requests a random to the server by sending their client_id
  2. the server replies with a random code (valid for like 10 mins, just like an authorization code)
  3. the client computes a hash = sha256(client_id, client_secret, code) and asks for a token
  4. the server computes the same hash, compares the client hash with the computed hash and sends an access token if they match

It would add an extra layer of security in case https is somehow broken or if anyone is able to read the header somehow.

However it doesn’t seem very OAuth2 compliant and I don’t really like re-inventing a standard. Another option would be to create my own extention grant, I’m just wondering if it’s really worth it, like no one seems to have done this.

Also, if I want to share my API with a 3rd party app, not sure it’s a good thing to force them into using something non really standard.

Add metabox plugin data but as custom fields or php code instead

i am using a theme that has custom post type and this custom post type has two ‘boxes’ or fields or whatever they are named i will include the meta codde below now the problem is i am using a plugin to add the posts but the plugin can only add via regular custom fields with value , and i can get the value but i don’t know how to format them in such a way the metabox adds them to the database the is is how they show in the database enter image description here

here is the full code for each one of them this one is for ab_embedgroup

a:2:{i:0;a:3:{s:11:"ab_hostname";s:2:"sd";s:8:"ab_embed";s:203:"<iframe width="1263" height="480" src="https://www.youtube.com/embed/5Gsdtetr1zo" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>";s:6:"_state";s:8:"expanded";}i:1;a:3:{s:11:"ab_hostname";s:7:"fsdqfsd";s:8:"ab_embed";s:203:"<iframe width="1263" height="480" src="https://www.youtube.com/embed/5Gsdtetr1zo" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>";s:6:"_state";s:8:"expanded";}} 

and this one is for ab_downloadgroup which keep in mind i added nothing there meaning this is the default value

a:1:{i:0;a:1:{s:6:"_state";s:8:"expanded";}} 

now here is the meta file which is code for metabox settings and format

$  meta_boxes[] = array(         'id'         => 'episode',         'title'      => __( 'Episode' ),         'post_types' => array( 'watch' ),         'context'    => 'normal',         'autosave'   => true,         'fields'     => array(             array(                 'name'  => __( 'Episode' ),                 'id'    => "{$  prefix}eps",                 'type'  => 'text',             ),             array(                 'name'  => __( 'Episode Title' ),                 'id'    => "{$  prefix}epstitle",                 'type'  => 'text',             ),             array(                 'name' => __('Status', 'meta-box'),                 'id' => "{$  prefix}lang",                 'type' => 'radio',                 'options' => array(                     'RAW' => __('RAW', 'meta-box'),                     'Sub' => __('Sub', 'meta-box'),                 ),                 'multiple' => false,                 'std' => 'Sub'             ),             array(                 'name' => __('Series', 'meta-box'),                 'id' => "{$  prefix}series",                 'type' => 'post',                 'post_type' => 'series',                 'field_type' => 'select_advanced',                 'query_args' => array(                     'post_status' => 'publish',                     'posts_per_page' => -1,                     'orderby' => 'title',                     'order' => 'ASC'                 )             ),         ),     );     $  meta_boxes[] = array(         'title'  => 'Embed Video',         'pages' => array( 'post','watch' ),         'tabs'      => array(             'input-version' => array(                 'label' => 'Input Version',                 'icon'  => 'dashicons-admin-customizer',             ),             'sc-version'  => array(                 'label' => 'Shortcode Version',                 'icon'  => 'dashicons-editor-code',             ),         ),         'tab_style' => 'default',         'fields' => array(             array(                 'id'     => 'ab_embedgroup',                 'type'   => 'group',                 'clone'  => true,                 'sort_clone'  => true,                 'save_state' => true,                 'desc' => '<b style="color:red;">You can insert embed code or shortcode</b>',                 'tab'  => 'input-version',                 'fields' => array(                     array(                         'name'  => 'Host Name',                         'id'    => 'ab_hostname',                         'type'  => 'text',                     ),                     array(                         'name'   => 'Embed',                         'id'     => 'ab_embed',                         'type'   => 'textarea',                         'sanitize_callback' => 'none',                     ),                 ), //episode             ), //input-version             array(                 'name'  => __( 'Shortcode Video', 'meta-box' ),                 'id'    => "{$  prefix}embed",                 'type'  => 'textarea',                 'clone' => 'true',                 'sort_clone'  => true,                 'sanitize_callback' => 'none',                 'tab' => 'sc-version',             ),         ),     );     $  meta_boxes[] = array(         'title'  => 'Download',         'pages' => array( 'post','watch' ),         'tabs'      => array(             'input-version' => array(                 'label' => 'Input Version',                 'icon'  => 'dashicons-admin-customizer',             ),             'sc-version'  => array(                 'label' => 'Shortcode Version',                 'icon'  => 'dashicons-editor-code',             ),         ),         'tab_style' => 'default',         'fields' => array(             array(                 'id'     => 'ab_downloadgroup',                 'type'   => 'group',                 'clone'  => true,                 'sort_clone'  => true,                 'tab'  => 'input-version',                 'save_state' => true,                 'fields' => array(                     array(                         'name'  => 'Host Name',                         'id'    => 'ab_hostname',                         'type'  => 'text',                         'columns' => '3',                     ),                     array(                         'name'   => 'Language',                         'id'     => 'ab_language',                         'type'   => 'text',                         'columns' => '3',                     ),                     array(                         'name'   => 'Quality',                         'id'     => 'ab_quality',                         'type'   => 'text',                         'columns' => '3',                     ),                     array(                         'name'   => 'Link',                         'id'     => 'ab_linkurl',                         'type'   => 'text',                         'columns' => '3',                         'sanitize_callback' => 'none',                     ),                 ),             ), //input-version             array(                 'name'  => __( 'Shortcode Download', 'meta-box' ),                 'id'    => "{$  prefix}url",                 'type'  => 'textarea',                 'desc'  => 'Example: [dl n="FileHosting" u="http://domain.xxx" s="English" q="HD"]',                 'clone' => 'true',                 'sanitize_callback' => 'none',                 'tab' => 'sc-version',             ),         ),     ); 

here is how they show on the dashboard this the first box enter image description here

here is the second box enter image description here

and thank you in advace 🙂

Why hash on server instead of client? [duplicate]

Please hear me out. I used to scoff at people who asked this question because client-side hashing is “so obviously wrong.” I have read similar questions on this site but haven’t found a satisfactory answer.

Why hash on the server instead of the client?

If the goal is to prevent someone with access to the password database from logging in, then server-side hashing is an absolute must (otherwise someone could just send to the server whatever they stole from the passwords database).

However, my understanding is that the purpose of hashing is to help people who share the same password across many sites. When a password is properly hashed & salted, an attacker cannot as easily brute force the plaintext password then try it on a bunch of other websites.

If mitigating password-reuse attacks is the goal, apart from clients having less hashing power, hashing & salting [0] on the client side makes sense because it means that even a fully compromised server would never see a client’s plaintext password.

What am I missing?

[0] salting is important so that a compromised server cannot re-use hashes to log into other services hashing passwords on the client

What are the repercussions of being able to finish a short rest in only 10 minutes instead of taking 1 hour?

Currently we are playing a horror adventure in D&D 5e. Due to circumstances (beings locked in a haunted house, rooms changing just when we close the doors, etc.), a 1-hour rest is hardly possible.

Our DM ruled that short rests can be as short as 10 minutes. The obvious result is that we can take it. What are other changes that we, both players and DM, should be aware of?

If it matters, party consists of Lore Bard, Vengeance Paladin, Chaos Sorcerer and Divination Wizard, all level 3.

Can I pretend to be casting from a spell scroll, but instead cast normally, or vice versa?

I’m wondering if, while I’m casting normally I can pretend to be casting from the scroll I’m ‘reading’ in front of my eyes. Or if I can do the opposite, read a scroll while pretending to perform a spell using falsified verbal, somatic, and material components. I have devised this as a shenanigan for fooling a mage with counterspell. Which is the main strategy my character would rely on for dealing with pesky mages.

Note that 5e doesn’t specify what it means to read. So I’m using the lexical definition that google gives for what it means to read:

“[To] look at and comprehend the meaning of written or printed matter by mentally interpreting the characters or symbols of which it is composed.

This would free up the verbal component needed to cast spells. I’m fine if an answer refutes this last point as I understand 5e doesn’t define the requirements for reading a scroll.

[ Politics ] Open Question : Why was storm played by a biracial woman instead of a black woman?

In the comics storm is an african black woman surely halle berry doesn’t fit that description storm was married to black panther in the comics they had a child with electricity powers my point is why did they get halle berry who is biracial and not a black woman like what storm is supposed to be.

The accounting Method analysis for table expansion by tripleling instead of doubling an array

If we double the array every time we get the amortized cost of 3n or 3$ if you prefer.

I was wondering what would it be if we tripled the array size instead of doubling it.

The rational between the 3$ cost for every insertion is as follow:

  • 1 dollar for the insertion of an element.
  • 1 dollar is saved for when it will have to move itself to the new array with double the size
  • 1 dollar paying for another element then itself when transfer will be required.

I can’t seem to find the cost for an array that triple each time.

Why not sandbox websites instead of using Same-Origin-Policy?

Why do Browsers implement a Same-Origin-Policy (SOP) to prevent open websites in the browser from executing scripts that may access / modify data of other open websites in the used browser?

Another more ‘usual’ approach would be to simply sandbox each open website, i.e. every website ‘thinks’ to be the only website on the browser. This approach is in my opinion more familiar to prevent an attack of e.g. evil.com accessing data from bank.com.

Is there any advantage in using SOP with respect to sandboxing?