Skip to content

OAuth ROPC Authentication with Escape

Description

The 'OAuth Resource Owner Password Credentials' preset implements the OAuth 2.0 Resource Owner Password Credentials grant type (RFC 6749, Section 4.3):

  • Token Endpoint: Authentication requests are sent to the OAuth 2.0 authorization server's token endpoint to exchange user credentials for access tokens.
  • Client Authentication: Uses client ID and client secret to authenticate the OAuth client application with the authorization server.
  • Resource Owner Credentials: Directly uses the resource owner's (user's) username and password to obtain access tokens, bypassing the typical authorization code flow.
  • Scope Support: Optional scope parameters can be included to request specific access permissions.

Important: This grant type should only be used when there is a high degree of trust between the resource owner and the client (e.g., first-party applications), as it involves handling user passwords directly. RFC 6749 recommends this flow only when other OAuth flows are not viable.

Examples

presets:
-   type: oauth_ropc
    url: https://oauth.example.com/token
    client_id: client123
    client_secret: secretXYZ
    users:
    -   username: user1
        main_user: false
        password: pass1
    -   username: user2
        main_user: false
        password: pass2
    -   username: user3
        main_user: false
        password: pass3
        scopes:
        - create
        - delete

Extensive Configuration

Property Type Default Description
client_id * string The client ID to use for the OAuth requests
client_secret * string The client secret to use for the OAuth requests
type * Const[oauth_ropc] oauth_ropc
url * string The URL of the token endpoint of the OpenIDConnect server
users * List[OAuthROPCUserPreset] A list of users to create

Objects

OAuthROPCUserPreset

Property Type Default Description
basic string null The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user.
cookies Dict[string, string] null Optional cookies injected during the authentication process and in authentified requests.
digest string null The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user.
headers Dict[string, string] null Optional headers injected during the authentication process and in authentified requests.
main_user boolean false When running a frontend DAST scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected.
password * string The password of the user.
query_parameters Dict[string, string] null Optional query parameters injected during the authentication process and in authentified requests.
scopes List[string] null A list of scopes to request for the user. If not specified, no scope will be requested.
username * string The username of the user.