Susan Harkins (332) [Avatar] Offline
#1
Please list errors found in the published version of OAuth 2 in Action here. We'll publish a comprehensive list if necessary for everyone's convenience. Thank you!

Susan Harkins
Errata Editor
Manning Publications
Alan (8) [Avatar] Offline
#2
3.2.2 on p.50
res.render('index', {access_token: body.access_token});
throws
ReferenceError: scope is not defined
Fix is to add scope: scope to the map:

res.render('index', {access_token: body.access_token,scope: scope});

Alan (8) [Avatar] Offline
#3
3.4 p. 54: Says trying the unedited ch-3-ex-2 client.js fetch of a resource before acquiring an access_token will display Figure 3.7 showing the 401 Error. In fact, it displays nothing because there's no code to implement this at client.js line 136. Add these lines to make it work:
        console.log("resource status error code " + resource.statusCode);
        res.render('error', {error: 'Unable to fetch resource. Status ' + resource.statusCode})
shetc (29) [Avatar] Offline
#4
Pg 81, Para 3 -- "...the user clicked the Approve or the."
shetc (29) [Avatar] Offline
#5
Chapter 5:
$ node authorizationServer.js
/tmp/oauth-in-action-code-master/exercises/ch-5-ex-2/authorizationServer.js:193
nosql.remove(function(found) { return (found == token); function(){}});
^
SyntaxError: Unexpected token (
at createScript (vm.js:53:10)
at Object.runInThisContext (vm.js:95:10)
at Module._compile (module.js:543:2smilie
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:423:7)
at startup (bootstrap_node.js:147:9)

node -v
v7.8.0
419523 (1) [Avatar] Offline
#6
p.67 (4.3.1): newer version of node (I am running 7.smilie require and explicit end() when sending the error response, e.g/

res.status(403).end();

instead of
res.status(403);

This applies to the three snippets (get/post/delete).
Alan (8) [Avatar] Offline
#7
Section 4.3.1 p. 66: Example code in book doesn't match delivered code. app.post returns
res.status(201) 
in the book and nothing in the sample code. app.delete returns
res.status(204).end()
in the book and
res.status(201).end()
in the code. Completed code matches the book.

As such, running protectedResource.js without any edits causes the client to fail to return a Success status for the Post a word and Delete a word actions and hangs after the first try.

So in this case the book is correct and the delivered code is wrong.
Alan (8) [Avatar] Offline
#8
Section 6.1.1 p. 96 at the bottom shows:
nosql.insert({ access_token: access_token, client_id: clientId, scope: rscope });
but clientId is undefined and throws ReferenceError: clientId is not defined. Correct code uses client.client_id:
nosql.insert({ access_token: access_token, client_id: client.client_id, scope: rscope });
Alan (8) [Avatar] Offline
#9
Section 7.3 page 126 strike text: ch-7-ex-0,

The example code is in ch-7-ex-1 which is cited in the next sentence.
Alan (8) [Avatar] Offline
#10
Section 7.3 page 126: "Finally, we need to plug the dynamic registration...."

Example of adding the ajax code at the bottom of the page sets no context as to where it goes and is also missing window.onload = function() {.
Had to do a diff to find out what was different.
diff  native-client/www/index.html completed/index.html native-client/www/index.html

to see that what's actually added just after var protectedResource... is
      window.onload = function() {

        if (!client.client_id) {
          $.ajax({
              url: authServer.registrationEndpoint,
              type: 'POST',
              data: client,
              crossDomain: true,
              dataType: 'json'
            }).done(function(data) {
              client.client_id = data.client_id;
              client.client_secret = data.client_secret;
            }).fail(function() {
              $('.oauth-protected-resource').text('Error while fetching registration endpoint');
            });
        }
      }
Alan (8) [Avatar] Offline
#11
Section 8.3, page 152 states, "At this point, every time you try to hit the endpoint with the browser using HTTP (not over TLS), you would notice an internal 307 redirect made from the browser.... Our test environment doesn't use TLS at all, so this header effectively makes our resource completely inaccessible."

The problem is that the expected failure does not appear to happen even though the hsts header is returned to the client.js and there is no 307 redirect happening.

ch-8-ex-3$ curl -v -H 'Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m' http://localhost:9002/helloWorld?language=en
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9002 (#0)
> GET /helloWorld?language=en HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json; charset=utf-8
< Content-Length: 33
< ETag: W/"21-hCplPWa89VD+OLTVXZ7gO78UxSg"
< Date: Mon, 01 May 2017 17:37:13 GMT
< Connection: keep-alive
< 
{
    "greeting": "Hello World"
* Connection #0 to host localhost left intact
}ch-8-ex-3$ 
Alan (8) [Avatar] Offline
#12
Section 10.4.1 p. 178:

Boldface highlighting of only one line of code sample when in fact the entire piece if new code to add (and therefore no context is shown).

Also, even when the PKCE changes are correctly implemented, the protectedResource.js returns a 401 error.
109178 (1) [Avatar] Offline
#13
Page 29:
“Because OAuth governs access to APIs, which in turn gates access to your important data, it’s crucial that you do use it in a safe way by avoiding antipatterns and using best practices.”

Excerpt From: Justin Richer
Antonio Sanso. “OAuth 2 in Action.” iBooks.
The word gates should be something like grants.
Justin Richer (50) [Avatar] Offline
#14
shetc wrote:Chapter 5:
$ node authorizationServer.js
/tmp/oauth-in-action-code-master/exercises/ch-5-ex-2/authorizationServer.js:193
nosql.remove(function(found) { return (found == token); function(){}});
^
SyntaxError: Unexpected token (
at createScript (vm.js:53:10)
at Object.runInThisContext (vm.js:95:10)
at Module._compile (module.js:543:2smilie
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)
at run (bootstrap_node.js:423:7)
at startup (bootstrap_node.js:147:9)

node -v
v7.8.0


This code is correct in the book and in the exercise. I believe you've missed a closing bracket in your implementation.
Justin Richer (50) [Avatar] Offline
#15
109178 wrote:Page 29:
“Because OAuth governs access to APIs, which in turn gates access to your important data, it’s crucial that you do use it in a safe way by avoiding antipatterns and using best practices.”

Excerpt From: Justin Richer
Antonio Sanso. “OAuth 2 in Action.” iBooks.
The word gates should be something like grants.


The word choice here is intentional and correct. We mean "gates" as in "to control as with a gate", which is what the OAuth protocol is doing.
Justin Richer (50) [Avatar] Offline
#16
Alan wrote:Section 8.3, page 152 states, "At this point, every time you try to hit the endpoint with the browser using HTTP (not over TLS), you would notice an internal 307 redirect made from the browser.... Our test environment doesn't use TLS at all, so this header effectively makes our resource completely inaccessible."

The problem is that the expected failure does not appear to happen even though the hsts header is returned to the client.js and there is no 307 redirect happening.

ch-8-ex-3$ curl -v -H 'Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m' http://localhost:9002/helloWorld?language=en
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 9002 (#0)
> GET /helloWorld?language=en HTTP/1.1
> Host: localhost:9002
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer mkds6VrEu2KFtLEM0KtUAcPmS8gSDx1m
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000
< Content-Type: application/json; charset=utf-8
< Content-Length: 33
< ETag: W/"21-hCplPWa89VD+OLTVXZ7gO78UxSg"
< Date: Mon, 01 May 2017 17:37:13 GMT
< Connection: keep-alive
< 
{
    "greeting": "Hello World"
* Connection #0 to host localhost left intact
}ch-8-ex-3$ 


Which browser are you testing with? It's possible that it doesn't support the HSTS header functionality or has some catch for localhost. We've seen Internet Explorer do weird things, in particular.
Susan Harkins (332) [Avatar] Offline
#17
thomie (10) [Avatar] Offline
#18
livebook 7.4.1:

An excerpt of the request originated by your OAuth client while performing the OAuth integration might look like
https://oauthprovider.com/authorize?response_type=code&client_id=CLIENT_ID&scope=SCOPES&state=STATE&redirect_uri=https://yourouauthclient.com/


Should be:

redirect_uri=https://yourouauthclient.com/oauth/oauthprovider/callback
thomie (10) [Avatar] Offline
#19
livebook 9.2

In our code base, this is done in the next line:3
if (code.authorizationEndpointRequest.client_id == clientId) {


Should be:
In our code base, this is done in the next line:
if (code.request.client_id == clientId) {


To match Listing 9. Token endpoint (5-1).
thomie (10) [Avatar] Offline
#20
livebook 9.4

Nevertheless, the attacker hijacked the authorization code though a maliciously crafted URI.


Correction: through
thomie (10) [Avatar] Offline
#21
livebook Figure 9.4

Protected resource returns vitcim's resource to attacker's client


Correction: victim
thomie (10) [Avatar] Offline
#22
livebook 10.2

Incomplete sentence:

A token might contain sensitive information about the system and the attacker is then [in possession of] something that they couldn’t know otherwise.
thomie (10) [Avatar] Offline
#23
livebook 13.5.3

/.well-know/webfinger
should be
/.well-known/webfinger
thomie (10) [Avatar] Offline
#24
livebook 14.1.2, bullet 3

uma_-protection


should be:

uma_protection
thomie (10) [Avatar] Offline
#25
livebook 14.1.2, bullet 7

the types of APIs that UMA can be used to protect



Should probably be:
the types of APIs that UMA can be used for

or
the types of APIs that UMA can protect
thomie (10) [Avatar] Offline
#26
livebook 14.1.2

below the "DO I NEED A TOKEN TO GET A TOKEN?" text box, list numbers should continue with 11,12 etc, instead of starting over from 1.