OAuth Client Authentication with Escape¶
Description¶
The 'OAuth Client Credentials' preset is tailored for authentication using the OAuth 2.0 client credentials grant, ideal for service accounts:
- OAuth Token Endpoint: Directs authentication requests to the token endpoint of an OpenID Connect server.
- Service Account Credentials: Utilizes client IDs and secrets to authenticate, representing service accounts rather than individual end-users.
- Token Generation: Designed to obtain access tokens for service accounts without the need for a user's password.
This preset is particularly effective for scenarios where applications or services themselves need to authenticate, independent of a user's direct involvement.
Examples¶
presets:
- type: oauth_client_credentials
url: https://oauth.example.com/token
users:
- username: serviceAccount1
client_id: serviceClientID1
client_secret: serviceSecret1
main_user: false
- username: serviceAccount2
audience: https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/
client_id: serviceClientID2
client_secret: serviceSecret2
main_user: false
scopes:
- create
- delete
Extensive Configuration¶
| Property | Type | Default | Description |
|---|---|---|---|
type * | Const[oauth_client_credentials] | oauth_client_credentials | |
url * | string | The URL of the token endpoint of the OpenIDConnect server | |
users * | List[OAuthClientCredentialsUserPreset] | A list of users to create |
Objects¶
OAuthClientCredentialsUserPreset¶
| Property | Type | Default | Description |
|---|---|---|---|
audience | string | null | The audience to request for the user. If not specified, no audience will be requested. |
basic | string | null | The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
client_id * | string | The client ID to use for the OAuth requests | |
client_secret * | string | The client secret to use for the OAuth requests | |
cookies | Dict[string, string] | null | Optional cookies injected during the authentication process and in authentified requests. |
digest | string | null | The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user. |
headers | Dict[string, string] | null | Optional headers injected during the authentication process and in authentified requests. |
main_user | boolean | false | When running a frontend DAST scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected. |
query_parameters | Dict[string, string] | null | Optional query parameters injected during the authentication process and in authentified requests. |
scopes | List[string] | null | A list of scopes to request for the user. If not specified, no scope will be requested. |
username * | string | The arbitrary username given to the user. |