How to send authentication token via SMS for a REST API

I want to call my REST API with encrypted SMS(with some intermediate server and a shared key by client and server which is transmitted via SSL), I have problem with sending requests that need authentication, When user have internet connection, JWT tokens are sent and everything is good, But if I want to call the same method with SMS, Sending JWT token makes my request very long which is not acceptable for me.

I was wondering instead of JWT tokens, I store information inside token into a table named token and only send encrypted id of that table to mobile client and since the id is much smaller than token, It satisfies my requirement.

I was wondering what is drawback of this approach? I mean instead of sending a signed token, I send an encrypted id to client. All the information about token(userId, timeStamp, clientIP, user mobile number …) are stored in a table named Tokens which has foreign key to signed in user.

Replay attacks, Stolen token I guess are handled by client IP or mobile number, What else do you think?

Another point I want to add is that my server is only used by a web client and a mobile app and nothing more !

Sharepoint Online Rest API – VBA – 401 unauthorized – SPOIDCRL token

I’m trying to use the rest api to get info about a doc library but keep getting 401 unauthorized – the code below worked for a bit for me but not other users now it doesn’t work for me either…

I modified this answer to generate an SPOIDCRL token of the form “SPOIDCRL=[big long string]”

Now I’m querying the sharepoint doc library and passing the SPOIDCRL in the header:

Function GetSPList(Optional boolGetAuthCookie As Boolean = True) As String 'Dim xmlHttp As MSXML2.XMLHTTP60 'Set xmlHttp = New MSXML2.XMLHTTP60 Dim xmlHttp As WinHttp.WinHttpRequest Set xmlHttp = New WinHttp.WinHttpRequest ''Dim xmlHttp As MSXML2.ServerXMLHTTP60 ''Set xmlHttp = New MSXML2.ServerXMLHTTP60 

I’ve tried all three of the above for the query, same result

Dim strListsAPI As String  strListsAPI = "_api/web/lists('" & [{guid of doc library}] & "')/" Dim strURL As String, strHeader As String, strBody As String Dim strDummy As String, strToken As String  If boolGetAuthCookie Then    strToken = testAuth ' this is the function adapted from the linked answer End If 'Debug.Print strToken strURL = [https://domain/site/] & strListsAPI & "Items" '& "?$  select=FieldValuesAsText"  strURL = strURL + "?$  select=FileLeafRef,Modified"    strURL = strURL & "&$  filter=FileLeafRef eq '[Filename].xlam'" '& randomURLAppend  Debug.Print strURL 

If i copy the url created above and paste into a browser I get a result returned in the browser that I expect. (“randomURLAppend” was a thing that I tried where I added a random parameter to the end of the url in case it was something to do with the caching of the results – it didn’t work)

With xmlHttp .Open "GET", strURL, False      .setRequestHeader "Content-Type", "text/xml; charset=utf-8"      .setRequestHeader "Cache-Control", "no-cache"       .setRequestHeader "Authorization", "Bearer " & strToken      .setRequestHeader "X-FORMS_BASED_AUTH_ACCEPTED", "f"     .setRequestHeader "accept", "application/xml" '    Debug.Print .readyState      .send ("") GetSPList = .responseText     Debug.Print "###############", strDummy, .Status, .StatusText .abort 

End With Set xmlHttp = Nothing End Function

I think that it might be something to do with the authentication cookie (SPOIDCRL) not being recognised or maybe expiring, however this is my first proper attempt at doing HTTP requests (I’m not a professional, I’m just trying to solve a problem at work…)

I’ve double and triple checked the permission on the library and I have full read/write access.

Can anyone help… please?

Configure Burp to pass dynamic authentication token from the past response to the next request in intruder

I would like to reuse an authentication token (which is dynamic) between a response and a request in Burp Suite intruder.

By dynamic I mean that the token is invalidated after being sent to the server and that we get a new token in the response.

Here is what is happening: uml-ish_schematic Please note that in the request the token is in the body and that in the response it’s a custom header (Token: x)

LinkedIn API Get Access Token Failed

We are trying to implement the LinkedIn API authentication module based on: https://docs.microsoft.com/en-us/linkedin/shared/authentication/authorization-code-flow?context=linkedin/context.

We have the redirect url for the application setup as our company’s main page (https://www.{site}.com) and we are able to get the auth code from the redirect URL. However, it gives us 401 error below when exchange for access token:

b'{"error":"invalid_request","error_description":"Unable to retrieve  access token: authorization code not found"}'  

The weird thing is, it works and we are able to get exchange the code for access token if we switch the redirect url to a different site like https://www.example.com in the API Console. Below is the Py3 code we use:

from requests_oauthlib import OAuth2Session from requests_oauthlib.compliance_fixes import linkedin_compliance_fix  # Credentials and redirect uri you get from registering a new application client_id = 'client_id' client_secret = 'client_secret' redirect_url = 'redirect_url'   # OAuth endpoints given in the LinkedIn API documentation (check for updates) authorization_base_url = 'https://www.linkedin.com/oauth/v2/authorization' token_url = 'https://www.linkedin.com/oauth/v2/accessToken'  # Authorized Redirect URL (from LinkedIn config) o2_session = OAuth2Session(client_id=client_id, redirect_uri=redirect_url, scope=['rw_ads', 'r_ads_reporting']) linkedin = linkedin_compliance_fix(o2_session)  # Redirect user to LinkedIn for authorization authorization_url, state = linkedin.authorization_url(authorization_base_url)  print('Please go here and authorize,', authorization_url)  # Get the authorization verifier code from the callback url redirect_response = input('Paste the full redirect URL here:') linkedin.fetch_token(token_url, include_client_id=client_id, client_secret=client_secret, authorization_response=redirect_response) token = linkedin.access_token 

Can anyone think of any reason could cause this weird different behaviors for different redirect URLs.

Why do we need token authentication?

If I’m creating an authorization service for my application, why can’t I just hash the password and save the the username and hashed password in my User table? Why should I use a token authentication service like JWT? I don’t think I’m right but I feel like I’m missing something here.

Armazenamentos de access token (token JWT)

Estou enfrentando a necessidade de armazenar o access token de um usuário que efetuou login através de um método com OAuth2, esse token JWT será utilizado para minha aplicação de frontend, escrita em React, efetuar chamadas para uma API “em nome do usuário”.

Contudo, esse dado que ao meu ver é sensível como deve ser armazenado no cliente?

Sei de algumas opções como localStorage ou cookies, mas gostaria de entender quais são os prós e contras de qualquer solução para o armazenamento desse tipo de dado.

Aquire access token via HTTP request

I’m writing a Java app that aquires a token via the provided MS utility lib called adal4j.

It provides finished methods, I just need to provide the username, password, authority and my clientid. The code looks like this and works perfectly:

public AuthenticationResult getAccessTokenFromUserCredentials() throws Exception {         AuthenticationContext context;         AuthenticationResult result;         ExecutorService service = null;         try {             service = Executors.newFixedThreadPool(1);             context = new AuthenticationContext(this.authority, false, service);             Future<AuthenticationResult> future = context.acquireToken(                     "https://mysite.sharepoint.com", this.clientId, this.userName, password,                     null);             result = future.get();         } finally {             service.shutdown();         }          if (result == null) {             throw new ServiceUnavailableException(                     "authentication result was null");         }         return result;     } 

As I said, this works perfectly, but due to some proxy issues cannot be used where I need to use it.

My question is, can I get the accessToken via a simple HTTP request somehow? Like:

HttpURLConnection conn = (HttpURLConnection) url.openConnection(); conn.setRequestMethod("GET"); conn.setRequestProperty("username", username); conn.setRequestProperty("password", password); 

Any tips for getting an access token from Java with a simple HTTP request would be greatly appreciated, thanks!

Unexpected token error thrown by JSON parse

Need some help in figuring out this JSON error.

This is just a sample code provided in Mastercard payment gateway documentation. I am trying to test it with test data provided by the merchant. I ran the code through a validator and it doesn’t return any errors.

Here is the code I’m trying to execute.

<!DOCTYPE html> <html>     <head>         <script src="https://test-gateway.mastercard.com/checkout/version/52/checkout.js"                 data-error="errorCallback"                 data-cancel="cancelCallback">         </script>          <script type="text/javascript">             function errorCallback(error) {                   console.log(JSON.stringify(error));             }             function cancelCallback() {                   console.log('Payment cancelled');             }              Checkout.configure({                 "merchant" : "TEST",                 "order" : {                     "amount" : 1000,                     "currency" : "USD",                     "description" : "Ordered goods" ,                     "id" : 123                  },                 "interaction" : {                     "operation" : "AUTHORIZE",                      "merchant" : {                         "name" : "ABC Hotel" ,                         "address" : {                             "line1" : "some road" ,                             "line2" : "some city"                                   }                         }                 }             });          </script>     </head>     <body>         ...         <input type="button" value="Pay with Lightbox" onclick="Checkout.showLightbox();" />         <input type="button" value="Pay with Payment Page" onclick="Checkout.showPaymentPage();" />         ...     </body> </html>

enter image description here

not able to configure a provider with token in angular without defining the string

I am trying to create a provider in the module as shown below but getting an error saying that MY_TOKEN is not defined. Is it necessary to put quotes around this literal as I think that following code snippet is legal. Does it have it have to be an import or a string constant if I have to use it. Will it not automatically treat MY_TOKEN as a string literal?

 providers: [{provide : MY_TOKEN, useValue:'dfd'},