Federated Identity Lab - 5huckle/OFFICIALTECHJOURNAL GitHub Wiki
Intro
In this lab we are going to do a deep dive into how OAuth 2 actually works and we will implement some simple but effective github tradecraft procedures to keep sensitive data out of our source code repository.
Overview of Steps for the Lab
- Create an OAuth “test” app on Github
- Configure a Flask webapp on xubuntu-wan that uses the Github OAuth “Test” app
- Monitor the OAuth process using Firefox Developer mode
- Create an OAuth “prod” app on Github
- Clone and update the Flask app to an AWS EC2 instance - and configure to use the OAuth “Prod” app
- Tech Journal and Reflection
Step One: Create OAuth Test App in Github
- Settings > Developer Settings > New OAuth App. Doing this will generate the following information:
- A client ID (this is public)
- client Secret (guard this like a private key)
- You will need to specify some things for your application
- Github App Name: OAuth-Test-SEC-440
- Homepage: https://127.0.0.1:5000
- Callback: https://127.0.0.1:5000/callback
After creating the application, you will need to generate a private key. Github should link you to this immediately after creation.
Step Two: Test Environment Setup
Goal: Create a Flask web app to run under python3's “venv” module
The web app source code works, but you are going to need to adjust it so that sensitive data is not mixed with your source code and that the application runs over tls (self signed is just fine). See the demo for specific guidance.
On xubuntu-wan we install some python packages
apt install python3-pip build-essential libffi-dev python3-dev python3-setuptools libssl-dev
apt install python3.10-venv
pip3 install virtualenvwrapper
Next, we need to create the directory structure that will allow our app to run.
Steps:
Creating the Flask App
mkdir OAuthLab
cd to OAuthLab
sudo nano creds.json
Enter the following text into the file
{
"client_id":"potato",
"client_secret":"carrot",
"authorization_base_url":"https://github.com/login/oauth/authorize",
"token_url":"https://github.com/login/oauth/access_token"
}
Replace 'Potato' and 'Carrot' with your client ID and client secret from the Github app
Next, create another file named webapp.py
sudo nano webapp.py
Then, browse to this website and copy the code you see into webapp.py
You will need to edit the code to work in your favor.
You want it to:
- Import json and have it read from creds.json
fileObject = open("creds.json", "r")
jsoncontent = fileObject.read()
creds = json.loads(jsoncontent)
- Change variables to use variables from creds.json
client_id = creds['client_id']
- Change last block to use SSL instead of HTTP
if __name__ == "__main__":
# This allows us to use a plain HTTP callback
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = "1"
app.secret_key = os.urandom(24)
# app.run(debug=True)
app.run(ssl_context="adhoc")
Next, we create the virtual environment
python3 -m venv venv
source venv/bin/activate
Install wheel using pip
- pip3 install wheel
Install other requirements
- pip3 install Flask
- pip3 install pyOpenSSL
- pip3 install requests_oauthlib
Now we run the app
- python3 webapp.py
Output should look like this:
Now we connect to the app
Open firefox, and before you do anything else right click and inspect the element. go to the network segment and go to settings and click 'persist logs'
Now, browse to https://127.0.0.1:5000 and watch as Github authorized your application.
Troubleshooting
I was having an issue where I could not apt-get or apt install anything on xubuntu-wan, despite having full internet connectivity.
The issue ended up being my default gateway. It was set to my Vyos VRRP address instead of the class gateway. Adjusting the default gateway from .110 to .2 fixed the issue.
Deliverables
-
I could not find any 'POST' logs despite many attempts. If I do find it, I will update this.
-
While I do have successful GET packets, I only have 4 packets that lead to two locations so I assume that this is not the intended information I am supposed to be retrieving.
-
Application uploaded to github check