OAuth ROPC Authentication with Escape¶

Description¶

The 'OAuth Resource Owner Password Credentials' preset implements the OAuth 2.0 Resource Owner Password Credentials grant type (RFC 6749, Section 4.3):

Token Endpoint: Authentication requests are sent to the OAuth 2.0 authorization server's token endpoint to exchange user credentials for access tokens.
Client Authentication: Uses client ID and client secret to authenticate the OAuth client application with the authorization server.
Resource Owner Credentials: Directly uses the resource owner's (user's) username and password to obtain access tokens, bypassing the typical authorization code flow.
Scope Support: Optional scope parameters can be included to request specific access permissions.

Important: This grant type should only be used when there is a high degree of trust between the resource owner and the client (e.g., first-party applications), as it involves handling user passwords directly. RFC 6749 recommends this flow only when other OAuth flows are not viable.

Examples¶

presets:
-   type: oauth_ropc
    url: https://oauth.example.com/token
    client_id: client123
    client_secret: secretXYZ
    users:
    -   username: user1
        main_user: false
        password: pass1
    -   username: user2
        main_user: false
        password: pass2
    -   username: user3
        main_user: false
        password: pass3
        scopes:
        - create
        - delete

Extensive Configuration¶

Property	Type	Default	Description
`client_id` *	`string`		The client ID to use for the OAuth requests
`client_secret` *	`string`		The client secret to use for the OAuth requests
`type` *	`Const[oauth_ropc]`	`oauth_ropc`
`url` *	`string`		The URL of the token endpoint of the OpenIDConnect server
`users` *	`List[`OAuthROPCUserPreset`]`		A list of users to create

Objects¶

OAuthROPCUserPreset¶

Property	Type	Default	Description
`basic`	`string`	`null`	The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user.
`cookies`	`Dict[string, string]`	`null`	Optional cookies injected during the authentication process and in authentified requests.
`digest`	`string`	`null`	The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user.
`headers`	`Dict[string, string]`	`null`	Optional headers injected during the authentication process and in authentified requests.
`main_user`	`boolean`	`false`	When running a frontend DAST scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected.
`password` *	`string`		The password of the user.
`query_parameters`	`Dict[string, string]`	`null`	Optional query parameters injected during the authentication process and in authentified requests.
`scopes`	`List[string]`	`null`	A list of scopes to request for the user. If not specified, no scope will be requested.
`username` *	`string`		The username of the user.