OAuth Client Authentication with Escape¶

Description¶

The 'OAuth Client Credentials' preset is tailored for authentication using the OAuth 2.0 client credentials grant, ideal for service accounts:

OAuth Token Endpoint: Directs authentication requests to the token endpoint of an OpenID Connect server.
Service Account Credentials: Utilizes client IDs and secrets to authenticate, representing service accounts rather than individual end-users.
Token Generation: Designed to obtain access tokens for service accounts without the need for a user's password.

This preset is particularly effective for scenarios where applications or services themselves need to authenticate, independent of a user's direct involvement.

Examples¶

presets:
-   type: oauth_client_credentials
    url: https://oauth.example.com/token
    users:
    -   username: serviceAccount1
        allow_failure: false
        basic_style: false
        client_id: serviceClientID1
        client_secret: serviceSecret1
        main_user: false
    -   username: serviceAccount2
        allow_failure: false
        audience: https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/
        basic_style: false
        client_id: serviceClientID2
        client_secret: serviceSecret2
        main_user: false
        scopes:
        - create
        - delete

Extensive Configuration¶

Property	Type	Default	Description
`type` *	`Const[oauth_client_credentials]`	`oauth_client_credentials`
`url` *	`string`		The URL of the token endpoint of the OpenIDConnect server
`users` *	`List[`OAuthClientCredentialsUserPreset`]`		A list of users to create

Objects¶

OAuthClientCredentialsUserPreset¶

Property	Type	Default	Description
`allow_failure`	`boolean`	`false`	If false, authentication failure for this user will fail the scan. Ignored for the main user: failures for main user are always fatal.
`audience`	`string`	`null`	The audience to request for the user. If not specified, no audience will be requested.
`basic`	`string`	`null`	The basic to attach Reach the Login Page and attack to the HTTP requests sent for this user.
`basic_style`	`boolean`	`false`	Whether to use the basic style of authentication where client_id and client_secret are encoded in the Authorization header.
`client_id` *	`string`		The client ID to use for the OAuth requests
`client_secret` *	`string`		The client secret to use for the OAuth requests
`cookies`	`Dict[string, string]`	`null`	Optional cookies injected during the authentication process and in authenticated requests.
`digest`	`string`	`null`	The digest to attach Reach the Login Page and attack to the HTTP requests sent for this user.
`headers`	`Dict[string, string]`	`null`	Optional headers injected during the authentication process and in authenticated requests.
`main_user`	`boolean`	`false`	When running a WebApp Testing scan, this indicates that the scanner must use this user when crawling. There must be only one main user per scan. If none is provided, a random user will be selected.
`query_parameters`	`Dict[string, string]`	`null`	Optional query parameters injected during the authentication process and in authenticated requests.
`role`	`string`	`null`	The role of the user (e.g., admin, user).
`scopes`	`List[string]`	`null`	A list of scopes to request for the user. If not specified, no scope will be requested.
`username` *	`string`		The arbitrary username given to the user.