#oauth

Remember that? Remember how nice that was?

You just typed/pasted the URL, typed/piped any other content, and then it just prompted you to type your password. Done. That's it.

Now you need to log in with a browser, find some obscure settings page with API keys and generate a key. Paternalism demands that since some people insecurely store their password for automatic reuse, no one can ever API with a password.

Fine-grained permissions for the key? Hope you got it right the first time. You don't mind having a blocking decision point sprung on you, do ya? Of course not, you're a champ. Here's some docs to comb through.

That is, if the service actually offers API keys. If it requires OAuth, then haha, did you really think you can just make a key and use it? you fool, you unwashed barbarian simpleton.

No, first you'll need to file this form to register an App, and that will give you two keys, okay, and then you're going to take those keys, and - no, stop, stop trying to use the keys, imbecile - now you're going to write a tiny little program, nothing much, just spin up a web server and open a browser and make several API calls to handle the OAuth flow.

Okay, got all that? Excellent, now just run that program with the two keys you have, switch back to the browser, approve the authorization, and now you have two more keys, ain't that just great? You can tell it's more secure because the number of keys and manual steps is bigger.

A large-scale phishing-as-a-service operation abuses Microsoft’s device code flow to trick users into authorising attacker-controlled sessions that hand over full mailbox access without stealing passwords. The campaign leverages Kali365 infrastructure to capture OAuth tokens, persist inside accounts, and manipulate inbox rules to hide security alerts.

Source: Arctic Wolf

Ce matin vendredi 19 juillet 2024 les entreprises, compagnies aériennes, banques et des médias sont hors fonctions suite à une mise à jour de CrowdStrike, un antivirus utilisé par Microsoft est à l'origine de la panne.

En 2023

Login with GitHub OAuth API using PHP

GitHub provides a web-based hosting service for version control. It plays an important role in software and web development. Presently GitHub has over 28 million users from around the world. If you want to allow users to log in with their social account, GitHub can be the best option beside the other social networks. GitHub OAuth Loginis a quick and powerful way to integrate user login system in…

https://github.com/CAAPIM/Microgateway/tree/master/get-started/get-further/demo-with-live-api-creator#architecture

As an API owner:

Pass a JWT to the backend Microgateway and microservices with the OAuth information:

to avoid authorization token leak to backend services

to provide a context of client requests

As a microservice developer,

Researchers found that Microsoft’s Copilot Studio can be turned into a weapon for OAuth phishing, letting attackers steal login tokens through fake “Login” buttons hosted on Microsoft’s own domain.

Source: Datadog Security Labs

In August 2025, a major cyberattack targeted Salesloft Drift, a conversational marketing and sales engagement platform integrated with Salesforce and numerous other enterprise systems. Attackers exploited compromised OAuth tokens to gain unauthorised access to hundreds of customer instances, exfiltrating sensitive data such as AWS access keys, passwords, Snowflake tokens, and CRM records. Over 700 organisations were potentially affected, including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, and Zscaler. This incident underscores the risks posed by supply-chain attacks in highly integrated SaaS environments.