From emails I receive it seems like there is a bit of confusion about what the terms 2-legged OAuth and 3-legged OAuth mean. I hope I can clear up this confusion with this article (and don’t contribute more to the confusion…).
In short, they describe two different usage scenarios of OAuth involving two respectively three parties.
3-legged OAuth describes the scenario for which OAuth was originally developed: a resource owner wants to give a client access to a server without sharing his credentials (i.e. username/password). A typical example is a user (resource owner) who wants to give a third-party application (client) access to his Twitter account (server).
On a conceptual level it works in the following way:
Client has signed up to the server and got his client credentials (also known as “consumer key and secret”) ahead of time
User wants to give the client access to his protected resources on the server
Client retrieves the temporary credentials (also known as “request token”) from the server
Client redirects the resource owner to the server
Resource owner grants the client access to his protected resources on the server
Server redirects the user back to the client
Client uses the temporary credentials to retrieve the token credentials (also known as “access token”) from the server
Client uses the token credentials to access the protected resources on the server
2-legged OAuth , on the other hand, describes a typical client-server scenario, without any user involvement. An example for such a scenario could be a local Twitter client application accessing your Twitter account.
On a conceptual level 2-legged OAuth simply consists of the first and last steps of 3-legged OAuth:
Client has signed up to the server and got his client credentials (also known as “consumer key and secret”)
Client uses his client credentials (and empty token credentials) to access the protected resources on the server
Above I used Twitter as an example, though strictly speaking, they don’t use 2-legged OAuth, but a variant of it. They not only provide the client credentials but also the token credentials (see also Using one access token with OAuth ).
As you have seen, 2-legged OAuth is nothing new, it is simply using OAuth in a different scenario than it was designed for. And hence you can use (almost?) all existing OAuth libraries for 2-legged OAuth, too.
Category: Autho
Google OpenID Authentication In Your ASP.NET With DotNetOpenAuth
To secure websites, we usually create user database and develop a login page to authenticate the user. If you have several websites, creating separate user login for each site is time consuming and not favorable to your users because they have to login to each site separately. OpenID was developed to solved such authentication hassles. It is an open standard for developers that enables them to authenticate their users in a decentralized manner. For end-users, OpenID allows them to consolidate their digital identities. Major web services that supports OpenID are Google, Yahoo and Facebook. If you use OpenID with your website, you allow users to login to your site using their Google, Yahoo or Facebook accounts. The authentication will be hosted by the OpenID provider, so no need to maintain the user details on your side except the Identifier returned by the provider.On this article, I will show you a ASP.NET sample code I made that use OpenID Authentication to verify Google Account. To accomplish the authentication, I used the C# library called DotNetOpenAuth. Here is the step-by-step procedure to implement it on your ASP.NET application.
- Download the DotNetOpenAuth Libraries. Choose the most appropriate version for development platform.
- Extract the downloaded compressed file on your hard drive.
- On your project, Add Reference to “DotNetOpenAuth.dll”
- On your login page’s HTML Code, paste the following.
| <form id=”form1″ runat=”server”>
Log in with
</div> |
Take note of the URL: https://www.google.com/accounts/o8/id – this is the unique OpenID URL of Google Account. 5. Include the following namespaces on your “Using” directive.
6. On the Page_Load & OpenLogin_Click, use the following codes
| using DotNetOpenAuth.OpenId; using DotNetOpenAuth.OpenId.RelyingParty; |
| protected void Page_Load(object sender, EventArgs e) { OpenIdRelyingParty rp = new OpenIdRelyingParty(); var r = rp.GetResponse(); if (r != null) { switch (r.Status) { case AuthenticationStatus.Authenticated: NotLoggedIn.Visible = false; Session[“GoogleIdentifier”] = r.ClaimedIdentifier.ToString(); Response.Redirect(“Main.aspx”); //redirect to main page of your website break; case AuthenticationStatus.Canceled: lblAlertMsg.Text = “Cancelled.”; break; case AuthenticationStatus.Failed: lblAlertMsg.Text = “Login Failed.”; break; } } }protected void OpenLogin_Click(object src, CommandEventArgs e) { string discoveryUri = e.CommandArgument.ToString(); OpenIdRelyingParty openid = new OpenIdRelyingParty(); var b = new UriBuilder(Request.Url) { Query = “” }; var req = openid.CreateRequest(discoveryUri, b.Uri, b.Uri); req.RedirectToProvider(); } |
7. Run the project. It should look like the following screens.
Log in with Now the Login page look like ….
Single sign On Service
I’ve been asked a few times to give sample code on SSO (single sign on) services.
But because the code, is sectioned to the services running within the IP / Host then this is the example;
Within your script or software you can redirect pre-approved users to – User Web Application — by signing the request with your API key. The remote authorization url looks like this:
https://yourcompany.com/api/auth?email=user@email.com×tamp=20110310120000&hash=a94a8fe5cc
Let’s break this url to parts:
https://yourcompany.com/ – this is your url
api/auth – this is the remote authorization path
?email= – the e-mail parameter specifies the pre-approved users that will be logged in
×tamp= – the timestamp parameter is the current date and time in the following format
“yyMMddhhmmss”; for example November 22nd, 2011 08:10:00pm would be “110310201000”
&hash= – the e-mail, timestamp and your api key concatenated in this order and then hashed with SHA1
Here’s a sample code for ASP.NET in C#:
string apiKey = “myAPIkey-goes-here”;
string email = “someuser@somedomain.com”;
string timestamp = DateTime.Now.ToString(“yyMMddhhmmss”);
SHA1Managed sha1 = new SHA1Managed();
byte[] paramBytes = Encoding.UTF8.GetBytes(email + timestamp + apiKey);
byte[] hashBytes = sha1.ComputeHash(paramBytes);
string hash = BitConverter.ToString(hashBytes).Replace(“-“, “”).ToLower();
Response.Redirect(
string.Format(“https://yourcompany.com/api/auth?email={0}×tamp={1}&hash={2}”,
email, timestamp, hash));
Invisible User Account
Alright want an account that no one can see??? on windows xp **
goto start>run>type regedit
in the menu goto
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersion
WinlogonSpecialAccountsUserList
right click and select string value
right click on the new string value and click rename
type the name of the account you want to hide (exactly the way it is spelled)
hit enter then right click on the string value again and click value change value to zero which hides it 1 shows it
now exit the registry and logoff
goto welcome screen and hit ctrl+alt+del twice to bring up old logon prompt
type hidden accounts name and password
enjoy
also hide all of the hidden accounts files
**disclaimer editing the registry can cause serious system damage and failure
i am not responsible if you blow up your bios!!
Happy Hunting
Techno
User Accounts and Privileges
Okay so we all know admin is the big cheese of the computer well guess what you are
wrong SYSTEM is the most powerful and is the top of the food chain 😛
so I am going to teach you how become SYSTEM even with a limited account!!
so open up run type
*time* refers to current time on system you want the time to be about two minutes ahead than what it is right now so if time is 3:45 than type 3:47 😉
at *time* /interactive "cmd.exe"
hit enter run whatever
now wait until specified time and the system32 command prompt should pop up
now hit ctrl+alt+del bring up taskmanager and end the explorer.exe process
after you have ended explorer.exe
on the open cmd prompt type explorer.exe to restart explorer
don’t worry about all your settings disappearing it is because you are on the SYSTEM account !!!! have fun
**note this only works for users with abilities to run the at command
**courtesy of demo Dave at cracked productions check em out 😉
**disclaimer if you mess your PC up doing this then you need help!! 😛
Eddlogic 