Configure OIDC Connect (OAuth)

If you need to grant NeuraLegion access to the authenticated resources that support OIDC, you should configure an authentication object using the OpenID Connect.

📘

Note

Currently the Customer Credentials and Resource Owner Password grant types of the OIDC are supported.

Prerequisites

  • You are an active user in the NeuraLegion App.
  • Your application and authenticated resources are accessible to the NeuraLegion engine, either directly from the Internet or via a Repeater.

Step-by-Step Guide

  1. Go to the NeuraLegion App.
  2. In the left pane, select Authentications.
  1. On the My Authentications page, click + Create Authentication.
  1. In the CREATE & TEST AUTHENTICATION dialog box, complete the fields of the following configuration sections.

Authentication Details

In this block, specify the details of the authentication object you want to create.

Field Guidelines
Authentication name Enter the authentication object name.
Description (Optional) Enter the authentication object description. For example, you can specify the application type or other information that helps you distinguish your created object.
Authentication type From the Authentication type drop-down list, select OpenID Connect (OAuth).

Authentication Setup

In this section, set up a valid authentication request to be sent to the end-point API. For that, complete the Authentication Setup fields.

Field Guidelines
Discovery document URL Provide a discovery document URL (https://your_host/.well-known/openid-configuration) to populate endpoint URLs automatically or leave this field empty to enter endpoint URLs manually.
Grant type From the drop-down list, select the grant type you need:
  • Client Credentials Grant
  • Resource Owner Password Grant
If you select the Resource Owner Password Grant, the Username and Password fields are added to the setup flow.
Token Endpoint Obtain an access and/or ID token by presenting an authorization grant or refresh token.
Client ID Enter your application client ID, unique client identifier preregistered in OpenID Provider.
Client Secret Enter your application client secret, used to authenticate to the Token Endpoint.
  • Username
  • Enter the resource owner username.
  • Password
  • Enter the resource owner password.
    Scope (Optional) Enter a space-separated list of scopes.
    Audience (Optional) Enter the intended recipient of the token.
    Embed in Select where to embed the token in the request.
    • If the Default option is selected, the token is embedded according to the OIDC specification. For example, a token can be embedded in the authorization header with the Bearer prefix.
    • If you select the Body option, specify the token encoder, content type, exact location in the body, and the token template string.
    • If you select the Header option, specify the token encoder, name of the target header, and the token template string.

    Valid Authentication Response

    In this section, select the options you want to use during the application scanning to determine that the authenticated resource has been reached. The options define how the application responds in case a full authentication flow passes successfully.

    Field Guidelines
    Detect using response status Enter the HTTP response that will tell you about the authentication success.
    Detect using header pattern Enter the header and Regex pattern that will tell about the authentication success.
    Detect using body pattern Enter the body pattern that will tell you about the authentication success.

    Authentication Triggers

    In this section, select the options you want to use during the application scanning to determine if the authentication flow is no longer valid and the authenticated resources cannot be reached. The options define how the application responds in case the authentication flow fails.

    Field Guidelines
    Detect using response status Enter the HTTP response that will tell you about the authentication failure.
    Detect using header pattern Enter the header and Regex pattern that will tell about the authentication failure.
    Detect using body pattern Enter the body pattern that will tell you about the authentication failure.

    Valid Session Tester

    The preliminary testing helps you verify if the authentication object has been configured correctly.

    Field Guidelines
    Protocol From the drop-down list, select the HTTPS or WebSockets protocol to be used for authentication.
    Method Select the HTTP method of an active tester end-point (authenticated resource).
    Validation URL Enter the URL of the authenticated (protected) resource to test if the authentication scenario is configured correctly. The validation URL should be different from the authentication URL.
    Header name Select an additional header to be appended to the request sent to the tester end-point.
    Header value Enter the template of the expected value (interpolation string) created using the String Interpolation Syntax..
    Body Enter the HTTP request body to be appended to the request sent to the tester end-point, for example:{“user”: “foo”, “pass”: “bar”}’. You can interpolate the body using the String Interpolation Syntax..
    Maximum number of redirects to follow Enter the maximum number of redirections that Nexploit should follow during the authentication process.

    Pro Tips: Select the checkbox Change redirected method to get for the redirects with code 302, where the server expects the following methods to always be GET during redirects and not the original method that triggered the redirect.
    Repeater If you use a local Repeater to reach the scan target, select it from the drop-down list to connect it to the scan.

    Once you have completed the Valid Session Tester fields, click Test Authentication.

    • A valid authentication object returns three success messages indicated in the relevant Test Results sections:
      • Test Authentication Triggers
      • Authentication call
      • Access Protected Resource

    In this case, you can save the configured object and add it to your scans.

    • If the test results include a failure message, go back to the object configurations and verify their correctness. Use the test request/response data to find a certain failure and fix it.

    Did this page help you?