none
How much oAuth is secured when it is used in wcf RRS feed

  • Question

  • when we are not using any certificate then tell me how much oAuth is secured when it is used in wcf from the hand of middle man attack ?

    i do not know how oauth work but just assumed in oauth first wcf client will send credentials to wcf service and wcf service send those credentials to google or yahoo etc site. those site validate credentials and send token to wcf service and wcf service will pass on that token to wcf client and wcf client will send that token for next all subsequent call to service.

    if my assumption is not correct then please rectify me with story like how oauth works.

    if my assumption is correct then middle man can steal that toke and send request to service with that token to claim he is valid user. so tell me how we can secure wcf token based system as a result if middle man can steal the token he/she will not be able to use it.

    thanks

    Friday, December 23, 2016 7:42 PM

Answers

  • Hi Mou_inn,

    How do you use oAuth in WCF? For oAuth, client would not send credentials to google. Credentials would not sent from client to Authorization Server like google. For complete protocol flow, I suggest you refer below link.

    # OAuth 2.0 Bearer Token Usage         

    https://tools.ietf.org/html/rfc6750#section-2

    For Access token protection, it depends on which authorization flow you used. To protect Access token, you could use authorization code flow which will need TLS.

    You could refer the link below for more information.

    # Would this work to protect a cookie with an OAuth token?

    http://security.stackexchange.com/questions/102797/would-this-work-to-protect-a-cookie-with-an-oauth-token

    For OAuth 2.0 Authorization Framework, I suggest you refer below link.

    # The OAuth 2.0 Authorization Framework

    https://tools.ietf.org/html/rfc6749

    Best Regards,

    Edward

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
    Microsoft does not control these sites and has not tested any software or information found on these sites;
    Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Monday, December 26, 2016 6:22 AM
  • Hi Mou_inn,

    OAuth is not really designed for WCF Service. OAuth is for end users which could accept or refuse the auth process. WCF is designed to machine to machine conversions. WCF Service has its own security implement, message security and transport security.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Tuesday, December 27, 2016 6:41 AM

All replies

  • Hi Mou_inn,

    How do you use oAuth in WCF? For oAuth, client would not send credentials to google. Credentials would not sent from client to Authorization Server like google. For complete protocol flow, I suggest you refer below link.

    # OAuth 2.0 Bearer Token Usage         

    https://tools.ietf.org/html/rfc6750#section-2

    For Access token protection, it depends on which authorization flow you used. To protect Access token, you could use authorization code flow which will need TLS.

    You could refer the link below for more information.

    # Would this work to protect a cookie with an OAuth token?

    http://security.stackexchange.com/questions/102797/would-this-work-to-protect-a-cookie-with-an-oauth-token

    For OAuth 2.0 Authorization Framework, I suggest you refer below link.

    # The OAuth 2.0 Authorization Framework

    https://tools.ietf.org/html/rfc6749

    Best Regards,

    Edward

    Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you.
    Microsoft does not control these sites and has not tested any software or information found on these sites;
    Therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there.
    There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.



    Monday, December 26, 2016 6:22 AM
  • nowadays many web site provide oauth support. say a web site like book.com imaginary web site which let their customer to login that web site through facebook or google account, so when user go to that web site and try to login by his facebook login then user will be redirected to facebook site where user provide their credentials and click ok button then oauth token is return to book.com site.

    1) so in wcf how oauth is worked?

    2) when user invoke wcf service then service will return a url where client has to provide credentials to get token ?

    3) please tell be briefly the story how client provide their fb credentials to claim he is valid user before a wcf service ?

    4) u said :- For Access token protection, it depends on which authorization flow you used. To protect Access token, you could use authorization code flow which will need TLS.

    TLS means https and certificate. so are u trying to means certificate will be required to protect access token?

    please guide me.

    Monday, December 26, 2016 8:25 PM
  • Hi Mou_inn,

    OAuth is not really designed for WCF Service. OAuth is for end users which could accept or refuse the auth process. WCF is designed to machine to machine conversions. WCF Service has its own security implement, message security and transport security.

    Best Regards,

    Edward


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Tuesday, December 27, 2016 6:41 AM