3rd Party OAuth

Overview

Most modern applications are leveraging OAuth SaaS products to manage login credentials and security. Depending on the OAuth grant type your application uses, your setup will look different.

Important: Some grant types cannot be automated and are not suitable for CI/CD. These grant types often require human intervention during the flow. Examples of this is when a user is asked to open an app/click a button to verify it is them as they are logging in. These flows are often referred to as “Authorization Code” and “Device Authorization” flows/grants. To run HawkScan with one of these grant types, you must manually get a JWT Token from the service and inject it at run time. View Inject Token for instructions.

The best grant types to automate with scripting are “Client Credential” and “Resource Owner” flows.

Don’t see your 3rd Party Service?

If you are using a 3rd party service we have not listed here, we recommend starting with Injecting a Token from the service for quick setup, then explore creating your own script as needed.

Auth0

Auth0 is a flexible, drop-in solution to add authentication and authorization services to your applications. They provide 4 OAuth grant types. How you set up Authenticated Scanning for HawkScan will depend on which grant type you use.

Client Credential Flow

Used for machine-to-machine communication. This is the best grant type for automation.

Your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Test 
  host: ${APP_HOST:http://localhost:3000}
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP/[0-9]+.[0-9]+\\s+([2-3][0-9][0-9])"
    loggedOutIndicator: "HTTP/[0-9]+.[0-9]+\\s+(4[0-9][0-9])"
    # authn
    oauth:
      parameters:
        tokenEndpoint: https://${YOUR_DOMAIN}/oauth/token
        grantType: client_credentials
        additionalBodyParams:
          audience: ${YOUR_API_IDENTIFIER}
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /api/private
      success: '.*200.*'
Resource Owner Password Flow

Highly-trusted applications can use the Resource Owner Password Flow, which requests user provided credentials and typically use an interactive form.

Your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Test 
  host: ${APP_HOST:http://localhost:3000}
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP/[0-9]+.[0-9]+\\s+([2-3][0-9][0-9])"
    loggedOutIndicator: "HTTP/[0-9]+.[0-9]+\\s+(4[0-9][0-9])"
    # authn
    oauth:
      parameters:
        tokenEndpoint: https://${YOUR_DOMAIN}/oauth/token
        grantType: password
        additionalBodyParams:
          audience: ${YOUR_API_IDENTIFIER}
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
        username: ${USERNAME} #user credentials
        password: ${PASSWORD} #user credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /api/private
      success: '.*200.*'
Authorization Code Flow

This grant type requires users to confirm login credentials by manually clicking a button or giving a code sent to them.

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Auth0 at run time is your best option.

Implicit Flow with Form Post

The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

For Auth0 the user authenticates using one of the configured login options and may see a consent page listing the permissions Auth0 will give to the app

If a user is given an additional consent page, this is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Auth0 at run time is your best option.

Okta

Okta is a leading identity service provider with access management for a variety of use cases. When using Okta as an authentication service, your application would be leveraging one of their 7 grant types.

Client Credential Flow

Used for machine-to-machine communication. This is the best grant type for automation. We have example scripts on how to pull in credentials available for this flow.

Okta Client Credential Script

If you use a script, your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Development
  host: ${APP_HOST:http://localhost:9000}
  openApiConf:
    path: "/openapi.json"
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP.*2[0-9][0-9]\\s*O[kK](\\s*)|HTTP.*3[0-9][0-9].*"
    loggedOutIndicator: "HTTP.*4[0-9][0-9](\\s*)Unauthorized.*" 
    oauth:
      parameters:
        tokenEndpoint: ${baseUrl}/v1/token
        grantType: client_credentials
        scope: ${SCOPE} 
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /private
      success: '.*200.*'
  replacer:
    rules:
      - matchString: "User-Agent"
        replacement: "StackHawk"
        replaceOnly: false
Resource Owner Password Flow

Highly-trusted applications can use the Resource Owner Password Flow, which requests user provided credentials and typically use an interactive form. We have example scripts on how to pull in credentials available for this flow.

Okta Resource Owner Password Flow Script

If you use a script, your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Development
  host: ${APP_HOST:http://localhost:9000}
  openApiConf:
    path: "/openapi.json"
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP.*2[0-9][0-9]\\s*O[kK](\\s*)|HTTP.*3[0-9][0-9].*"
    loggedOutIndicator: "HTTP.*4[0-9][0-9](\\s*)Unauthorized.*" 
    oauth:
      parameters:
        tokenEndpoint: ${baseUrl}/v1/token
        grantType: password
        scope: ${SCOPE} 
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
        username: ${USERNAME} #user credentials
        password: ${PASSWORD} #user credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /private
      success: '.*200.*'
  replacer:
    rules:
      - matchString: "User-Agent"
        replacement: "StackHawk"
        replaceOnly: false
Authorization Code and Authorization Code with PKCE

These grant types require users to confirm login credentials by manually clicking a button or entering a code sent to them.

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Okta at run time is your best option.

Implicit Flow with Form Post

The Implicit flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps where the access token was returned immediately without an extra authorization code exchange step.

For Okta the user authenticates using one of the configured login options and may see a consent page listing the permissions Okta will give to the app

If a user is given an additional consent page, this is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Okta at run time is your best option.

Interaction Code Flow

The Interaction Code grant type is an OAuth 2.0 and OpenID Connect (OIDC) standard extension that is available in the Identity Engine to manage user interactions. The Interaction Code grant is typically used by native, SPA, and web client apps that want to interact directly with the user

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Okta at run time is your best option.

SAML 2.0 Assertion Flow

The SAML 2.0 Assertion flow is intended for a client app that wants to use an existing trust relationship without a direct user approval step at the authorization server. It enables a client application to obtain an authorization from a valid, signed SAML assertion from the SAML Identity Provider.

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Okta at run time is your best option.

KeyCloak

KeyCloak is a free and open source solution for identity and access management. It is based on standard protocols and provides support for OpenID Connect, OAuth 2.0, and SAML.

Client Credential Flow

Used for machine-to-machine communication. This is the best grant type for automation.

Your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Development
  host: ${APP_HOST:http://localhost:9000}
  openApiConf:
    path: "/openapi.json"
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP.*2[0-9][0-9]\\s*O[kK](\\s*)|HTTP.*3[0-9][0-9].*"
    loggedOutIndicator: "HTTP.*4[0-9][0-9](\\s*)Unauthorized.*"
    # authn
    oauth:
      parameters:
        tokenEndpoint: http://${YOUR_DOMAIN}/auth/realms/${REALM_NAME}/protocol/openid-connect/token
        grantType: client_credentials
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /private
      success: '.*200.*'
Resource Owner Password Flow

Highly-trusted applications can use the Resource Owner Password Flow, which requests user provided credentials and typically uses an interactive form.

Your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Development
  host: ${APP_HOST:http://localhost:9000}
  openApiConf:
    path: "/openapi.json"
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP.*2[0-9][0-9]\\s*O[kK](\\s*)|HTTP.*3[0-9][0-9].*"
    loggedOutIndicator: "HTTP.*4[0-9][0-9](\\s*)Unauthorized.*"
    # authn
    oauth:
      name: keycloak-client-credentials.js
      parameters:
        tokenEndpoint: http://${YOUR_DOMAIN}/auth/realms/${REALM_NAME}/protocol/openid-connect/token
        grantType: client_credentials
      credentials:
        clientId: ${YOUR_CLIENT_ID} #application credentials
        clientSecret: ${YOUR_CLIENT_SECRET} #application credentials
        username: ${USERNAME} #user credentials
        password: ${PASSWORD} #user credentials
    # authz
    tokenExtraction:
      type: TOKEN_PATH
      value: access_token
    tokenAuthorization:
      type: HEADER
      value: Authorization
      tokenType: Bearer
    testPath:
      path: /private
      success: '.*200.*'
Authorization Code Flow

By default, Keycloak’s Javascript adapter uses Authorization Code Flow. With this flow the Keycloak server returns an authorization code, not an authentication token, to the application. The JavaScript adapter exchanges the code for an access token and a refresh token after the browser is redirected back to the application.

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Keycloak at run time is your best option.

Implicit Flow and Device Authorization Grant

Keycloak also supports the Implicit flow where an access token is sent immediately after successful authentication with Keycloak. A Hybrid flow takes aspects of the default Authorization Code flow combining it with the Implicit flow.

These are not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Keycloak at run time is your best option.

Firebase

Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook and Twitter, and more.

Firebase Authentication integrates tightly with other Firebase services, and it leverages industry standards like OAuth 2.0 and OpenID Connect, so it can be easily integrated with your custom backend.

Email And Password Based Authentication

Authenticate users with their email addresses and passwords. The Firebase Authentication SDK provides methods to create and manage users that use their email addresses and passwords to sign in. Firebase Authentication also handles sending password reset emails.

Token to Cookie Based Session Script

If you use a script, your stackhawk.yml will look like this:

stackhawk.yml

app:
  applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
  env: Development
  host: ${APP_HOST:http://localhost:9000}
  openApiConf:
    path: "/openapi.json"
  autoPolicy: true
  autoInputVectors: true
  authentication:
    loggedInIndicator: "HTTP.*2[0-9][0-9]\\s*O[kK](\\s*)|HTTP.*3[0-9][0-9].*"
    loggedOutIndicator: "HTTP.*4[0-9][0-9](\\s*)Unauthorized.*"
    # authn
    script:
      name: firebase-signInWithPassword-auth.js
      parameters:
        tokenEndpoint: https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?
      credentials:
        password: ${FIREBASE_USER_PASSWORD}
        additionalCreds:
          email: ${FIREBASE_USER_EMAIL}
          key: ${YOUR_FIREBASE_API_KEY}
    # authZ
    sessionScript:
      name: firebase-id-token-session.kts
    testPath:
      path: /private
      success: '.*200.*'
hawkAddOn:
    - name: firebase-id-token-session.kts
      language: KOTLIN
      type: authentication
      type: session
      path: scripts
  replacer:
    rules:
      - matchString: "User-Agent"
        replacement: "StackHawk"
        replaceOnly: false
Federated Identity Provider Integration

Authenticate users by integrating with federated identity providers. The Firebase Authentication SDK provides methods that allow users to sign in with their Google, Facebook, Twitter, and GitHub accounts.

This is not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Firebase at run time is your best option.

Phone Number Authentication

Authenticate users by sending SMS messages to their phones.

These are not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Firebase at run time is your best option.

Custom Auth System Integration

Connect your app’s existing sign-in system to the Firebase Authentication SDK and gain access to Firebase Realtime Database and other Firebase services.

These are not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Firebase at run time is your best option.

Anonymous Authentication

Use features that require authentication without requiring users to sign in first by creating temporary anonymous accounts. If the user later chooses to sign up, you can upgrade the anonymous account to a regular account, so the user can continue where they left off.

These are not suitable for CI/CD. Running HawkScan locally and Injecting a Token from Firebase at run time is your best option.