Skip to content

OAuth Client Authentication with Escape

Description

The 'OAuth Client Credentials' preset is tailored for authentication using the OAuth 2.0 client credentials grant, ideal for service accounts:

  • OAuth Token Endpoint: Directs authentication requests to the token endpoint of an OpenID Connect server.
  • Service Account Credentials: Utilizes client IDs and secrets to authenticate, representing service accounts rather than individual end-users.
  • Token Generation: Designed to obtain access tokens for service accounts without the need for a user's password.

This preset is particularly effective for scenarios where applications or services themselves need to authenticate, independent of a user's direct involvement.

Examples

presets:
-   type: oauth_client_credentials
    url: https://oauth.example.com/token
    users:
    -   username: serviceAccount1
        client_id: serviceClientID1
        client_secret: serviceSecret1
        main_user: false
    -   username: serviceAccount2
        audience: https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/
        client_id: serviceClientID2
        client_secret: serviceSecret2
        main_user: false
        scopes:
        - create
        - delete

Extensive Configuration

Property Type Default Description
type * Const[oauth_client_credentials] oauth_client_credentials
url * string The URL of the token endpoint of the OpenIDConnect server
users * List[OAuthClientCredentialsUserPreset] A list of users to create

Objects

OAuthClientCredentialsUserPreset

Property Type Default Description
audience string null The audience to request for the user. If not specified, no audience will be requested.
basic string null The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user.
client_id * string The client ID to use for the OAuth requests
client_secret * string The client secret to use for the OAuth requests
cookies Dict[string, string] null Optional cookies injected during the authentication process and in authentified requests.
digest string null The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user.
headers Dict[string, string] null Optional headers injected during the authentication process and in authentified requests.
main_user boolean false When running a frontend DAST scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected.
query_parameters Dict[string, string] null Optional query parameters injected during the authentication process and in authentified requests.
scopes List[string] null A list of scopes to request for the user. If not specified, no scope will be requested.
username * string The arbitrary username given to the user.