log analysis – What is SAFE-MDx Authorization Client, and what does it do?

I found client.log in my EFI system partition, and this is what it contains:


SAFE-MDx Authorization Client

Copyright (C) 2009-2020 Dell Inc., All Rights Reserved.

SafeAuthClient.exe version: 2.3.7

-CSL Library version: 1.020

-COSPA Runtime Library version: 2.4





Fetch local data

    Socket Buffer Size: 32768 bytes

    Local Data Length : 2944 bytes

..............................................................Success



Connect to server...

    Server Name/IP: 192.168.0.202



..............................................................Success



Apply for Authorization

..............................................................Success



Send data glob

..............................................................Success



Receive Authorization

..............................................................Success



Save the Authorization

..............................................................Success



x:toolssafeauthclient.exe SUCCESS

I tried searching for the executable name and the self-reported program name, but even with “verbatim” searches, there don’t seem to be any relevant results. The timestamp on the file points to a pre-delivery date on this machine as far as I can tell.

azureadapps – Authorization gets failed when making yammer API calls using AAD tokens generated with grant_type=”client_credentials”

I am getting 401 unauthorized issue when trying to make yammer API calls mentioned here. I have created an app from app registrations on Azure portal and provided below permissions
enter image description here
And I have used post method to generate token using below parameters:

Access Token URL: https://login.microsoftonline.com/organizations/oauth2/v2.0/token

Client ID: {App client ID}

Secret: {App client secret}

Scope: https://api.yammer.com/.default

GrantType : client_credentials

Using above post request I am able to generate token but with this token I am not able to authorize yammer API calls

But I am able to authorize yammer API calls and able to get response back successfully when I have generated bearer token with
grant_type=’authorization_code’,

scope=’https://api.yammer.com/user_impersonation’,

redirect_uri=’http://localhost’,

Auth endpoint=’https://login.microsoftonline.com/{tenant ID}/oauth2/v2.0/authorize’,

Client ID: {App client ID},

Secret: {App client secret}
But GrantType : authorization_code always prompt us for user credentials. So, to avoid this I have used ‘client_credentials’ but it get fails at authorization.

Could any one help me how to authorize yammer API calls using AAD tokens with GrantType : client_credentials or any other way to make yammer API calls successfully with out prompting for user credentials?

url rewriting – IIS Rewrite shows me Authorization 401 Error

I separate my IIS server into different nodes and my current node doesn’t have an authorization system.
I changed links to another server in the front pages, but browsers started to make warrings about crocs requests, It’s cool, sure.
So, I changed the front pages to my server and I made a rewrite on my server for browser requests to my server, but actually, requests go to a different server.

        <rule name="ReverseProxyInboundRule1" stopProcessing="true">
            <match url="myserverauthlinks/(.*)" />
            <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
            <action type="Rewrite" url="https://differentserverauth/{R:1}" logRewrittenUrl="true" />
        </rule>

First of all, I got 503 errors, but I added an SSL certificate to my node system, and I got the next error – 401. When I go to https://differentserverauth – authorization works fine. But on my node, it shows me a login popup again and again with a 401 error.
Each systems has following settings:

   <system.web>
        <compilation debug="true" />
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>

Could you please give any advice on where should I look? Thanks anyway.

authorization – Is a consent screen in an OAuth 2.0 implementation optional

I’ve read through RFC 6749: https://datatracker.ietf.org/doc/html/rfc6749

The only mention of consent is in this bit:

The authorization server MUST implement CSRF protection for its
authorization endpoint and ensure that a malicious client cannot
obtain authorization without the awareness and explicit consent of
the resource owner.

The above does not (to me anyway) translate to: “Hey show a consent screen with requested scopes before responding with an authorisation”.

I’ve seen so many OAuth 2.0 implementations however where a consent screen is shown.

Question 1: As per the title really – is it actually needed?

Question 2: Is there an RFC that specifies what such a consent screen (if you are to implement one) should look like, including any required messaging and response if the user declines?

authorization – How to mitigate risk of spoofing / Impersonating in OAuth Device flow ( device code flow ) in Azure AD?

I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory

Application is using the below details in-app configuration

"ClientId": "242429ea-xxxx-4ddb-xxxx-xxxxxxxxxxxxx",
"Tenant": "67ss7s7s7s-4e27-beee-yyyyyyyyyyyy",
"Scope": "api://12121212-5600-xxxx-1111-123456789/IoTGateway",

Application receives a Token from AAD and which will be used by User for authenticating (OAuth Device flow in Azure AD, sometimes called device code flow)

Question

Currently, all the employees of the company registered in AD, and frustrated employees who copy the application configuration values can get access by SPOOFIING the application. This is a risk. How to mitigate this?

Note: Attacker can shut down this application and run his own spoofed application at the same port 5000.

enter image description here

Is it possible to create a security group and add only users who are supposed to have access to this application?

Example

AD All Users
User 1
User 2
User 3
AD Sec Group 1
User 1
User 2

So user 3 even after having the secret, he shall reject the request by AAD. Is it possible?

authorization – How to mitigate risk of spoofing in OAuth Device flow ( device code flow ) in Azure AD?

I have developed C# application and hosted it as a windows service on a machine http://localhost:5000 . This application registered in `Azure Active Directory

Application is using the below details in-app configuration

"ClientId": "242429ea-xxxx-4ddb-xxxx-xxxxxxxxxxxxx",
"Tenant": "67ss7s7s7s-4e27-beee-yyyyyyyyyyyy",
"Scope": "api://12121212-5600-xxxx-1111-123456789/IoTGateway",

Application receives a Token from AAD and which will be used by User for authenticating (OAuth Device flow in Azure AD, sometimes called device code flow)

Question

Currently, all the employees of the company registered in AD, and frustrated employees who copy the application configuration values can get access by SPOOFIING the application. This is a risk. How to mitigate this?

Note: Attacker can shut down this application and run his own spoofed application at the same port 5000.

enter image description here

Is it possible to create a security group and add only users who are supposed to have access to this application?

magento2 – Partially void PayPal authorization

Customer orders items A,B and C (Authorization payment with PayPal) Partial capture has been completed on items A and B can the remaining authorization for item C be voided or will this void the entire transaction?

Only way I can see around it is to capture payment for item C and then create a credit memo for this item.

Should biometric authentication grant authorization to the previously logged in user in an Android app?

I want my users to be able to use biometrics for easier access, but I’m not sure if it’s a standard practice (having in mind the security of it). I’m thinking of a situation where user A logged in on user’s B device and later user B would use biometrics on xir own device to gain access to user A’s, previously logged in, account.

I have no idea if it’s common practice to ignore that situation or not.

javascript – Function to build authorization header for an OAuth1 request

I have a function that builds the Authorization header for an OAuth1 request. It works as expected but I think it can be heavily improved, although not sure what would be the best approach to tidy this up.

I want to clean the oAuthV1Request function as it feels very messy and using a lot of duplicate code:

import qs from "querystring";
import authorization from "./authorization/authorization";
import { percentEncode } from "./authorization/helpers";
import { AuthorizationOptions } from "./types";

function buildBody(
  bodyParams: Record<string, string | number | boolean>
): string {
  return qs.stringify(bodyParams, "&", "=", {
    encodeURIComponent: percentEncode,
  });
}

export default function oAuthV1Request(options: AuthorizationOptions): {
  method: "GET" | "PUT" | "POST" | "DELETE";
  baseURL: string;
  params: Record<string, string>;
  data: string;
  headers: {
    Authorization: string;
    "Content-Type": "application/x-www-form-urlencoded";
    "Content-Length": number;
  };
};
export default function oAuthV1Request(
  options: Omit<AuthorizationOptions, "data">
): {
  method: "GET" | "PUT" | "POST" | "DELETE";
  baseURL: string;
  params: Record<string, string>;
  headers: {
    Authorization: string;
  };
};
export default function oAuthV1Request(
  options: Omit<AuthorizationOptions, "params">
): {
  method: "GET" | "PUT" | "POST" | "DELETE";
  baseURL: string;
  data: string;
  headers: {
    Authorization: string;
    "Content-Type": "application/x-www-form-urlencoded";
    "Content-Length": number;
  };
};
export default function oAuthV1Request(
  options: Omit<AuthorizationOptions, "params" | "data">
): {
  method: "GET" | "PUT" | "POST" | "DELETE";
  baseURL: string;
  headers: {
    Authorization: string;
  };
};
export default function oAuthV1Request(options: AuthorizationOptions):
  | {
      method: "GET" | "PUT" | "POST" | "DELETE";
      baseURL: string;
      params: Record<string, string>;
      headers: {
        Authorization: string;
      };
    }
  | {
      method: "GET" | "PUT" | "POST" | "DELETE";
      baseURL: string;
      data: string;
      headers: {
        Authorization: string;
        "Content-Type": "application/x-www-form-urlencoded";
        "Content-Length": number;
      };
    }
  | {
      method: "GET" | "PUT" | "POST" | "DELETE";
      baseURL: string;
      headers: {
        Authorization: string;
      };
    }
  | {
      method: "GET" | "PUT" | "POST" | "DELETE";
      baseURL: string;
      params: Record<string, string>;
      data: string;
      headers: {
        Authorization: string;
        "Content-Type": "application/x-www-form-urlencoded";
        "Content-Length": number;
      };
    } {
  if (options.params && options.data) {
    const data = buildBody(options.data || {});
    return {
      baseURL: options.baseURL,
      method: options.method,
      params: options.params,
      data,
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
        "Content-Length": Buffer.byteLength(data),
        Authorization: authorization(options),
      },
    };
  }

  if (options.data) {
    const data = buildBody(options.data || {});
    return {
      baseURL: options.baseURL,
      method: options.method,
      data,
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
        "Content-Length": Buffer.byteLength(data),
        Authorization: authorization(options),
      },
    };
  }

  if (options.params) {
    return {
      baseURL: options.baseURL,
      method: options.method,
      params: options.params,
      headers: {
        Authorization: authorization(options),
      },
    };
  }

  return {
    baseURL: options.baseURL,
    method: options.method,
    headers: {
      Authorization: authorization(options),
    },
  };
}

Also, any feedback in general regarding any kind of improvement or code smell would be great.

Repo with all the code in case more context is useful.

What is causing error “403 FORBIDDEN (Access not allowed even with authorization)” for new domain on Domino server?

With Domino 9 server, a new Virtual Hostname doc has been added to the Domino Directory for domain xxxxx.app. It is configured with default values, and there are several other web sites hosted on the server with the same configuration. SSL is running on one of the domains, but all the rest are HTTP.

However, the site is not accessible via the browser giving the error message:

403 FORBIDDEN (Access not allowed even with authorization)

The only difference between this site and the others is that it has an .app high level domain name, and it was added to the Directory after the SSL key had been installed for a different domain name.

What may be causing forbidden access even with authorization?