This lab explores how OAuth works. This lab focuses on implementation of OAuth Applications through GitHub to be used locally on a system, as well as on an AWS EC2 Instance.

OAuth Test App

The following steps will outline how to create an OAuth App in GitHub and access it through a web application locally on the xubuntu-WAN virtual machine.

Creating an OAuth “Test” App in GitHub

An OAuth app can be created in Github in Settings -> Developer Settings.

• I created a new OAuth App with the settings shown in the screenshot below:

Test Environment Setup

The xubuntu-WAN system will be used to test the "test" OAuth Application. A flask web application will be used. The following steps outline the process of setting up the environment:

1. Run the following commands to install necessary packages:

• apt update
• apt install python3-pip build-essential libffi-dev python3-dev python3-setuptools libssl-dev
• apt install python3.10-venv

2. Run the following command to install python package virtualenv

• pip3 install virtualenvwrapper

3. Customize the flask app by following these steps:

• Create a file called creds.json with the following code, putting the client ID and client secret in the appropriate variables:

{
    "client_id":"CLIENT_ID_GOES_HERE",
    "client_secret":"CLIENT_SECRET_GOES_HERE",
    "authorization_base_url":"https://github.com/login/oauth/authorize",
    "token_url":"https://github.com/login/oauth/access_token"
}

4. Create a file called webapp.py in the same directory as the json file, and add the code that can be found here

Running the Web Application

1. Create and use a virtual environment using the following commands:

• python3 -m venv venv
• source venv/bin/activate

2. Install requirements using the following commands:

• pip3 install Flask
• pip3 install pyOpenSSL
• pip3 install requests_oauthlib

3. Run the web application using python3 webapp.py

4. Using a web browser, navigating to "https://127.0.0.1:5000" will redirect to github, ask for a login, and then display the JSON content of the user's github profile.

Examining Network Traffic:

During the redirection process from the browsed URL to github, information can be seen by inspecting the web page and looking at the network tab. There are various GET and POST requests that include information such as usernames and passwords in plaintext.

OAuth Prod App

The following steps will outline how to create an OAuth App in GitHub and access it through a web application that is hosted on an AWS EC2 Ubuntu Instance. A lot of the steps are very similar to the Test App.

Creating an Amazon Instance

In AWS, I created and EC2 Ubuntu instance. I also added it to a security group that allows for connections to port 5000, which is the port used for the OAuth App. This Amazon Instance will be used to host the webapp that connects to the OAuth app.

Creating an OAuth “Prod” App in GitHub

An OAuth app can be created in Github in Settings -> Developer Settings.

• I created a new OAuth App with the settings shown in the screenshot below:

Environment Setup

The AWS instance system will be used to test the "prod" OAuth Application. A flask web application will be used. The following steps outline the process of setting up the environment. The steps should be completed on the AWS Instance:

1. Run the following commands to install necessary packages:

• apt update
• apt install python3-pip build-essential libffi-dev python3-dev python3-setuptools libssl-dev
• apt install python3.10-venv

2. Run the following command to install python package virtualenv

• pip3 install virtualenvwrapper

3. Customize the flask app by following these steps:

• Create a file called creds.json with the following code, putting the client ID and client secret in the appropriate variables:

{
    "client_id":"CLIENT_ID_GOES_HERE",
    "client_secret":"CLIENT_SECRET_GOES_HERE",
    "authorization_base_url":"https://github.com/login/oauth/authorize",
    "token_url":"https://github.com/login/oauth/access_token"
}

4. Create a file called webapp.py in the same directory as the json file, and add the code that can be found here

• For this file, change the final line from app.run(ssl_context="adhoc") to be app.run(host=”0.0.0.0”, port=”5000”,ssl_context="adhoc"). This runs the web application on all IP addresses of the hosting system.

Running the Web Application

1. Create and use a virtual environment using the following commands:

• python3 -m venv venv
• source venv/bin/activate

2. Install requirements using the following commands:

• pip3 install Flask
• pip3 install pyOpenSSL
• pip3 install requests_oauthlib

3. Run the web application using python3 webapp.py

4. Using a web browser on a different system, such as ubuntu-lan or ubuntu-wan, navigating to "https://AWS_INSTANCE_PUBLIC_DNS:5000", filling in the AWS DNS accordingly, will redirect to github, ask for a login, and then display the JSON content of the user's github profile.

Reflection

In this lab I learned about OAuth web applications and how they can be used. This lab used a github OAuth app and a Flask web app to demonstrate how OAuth can be used to authorize systems for designated access to applications. I also learned about some of the insecurities of using this method, such as the fact that cleartext passwords are transferred over the network and can be easily captured.