Token-based Authentication (v8.6.0 and up)

Owned by David P (Deactivated)
Last updated: Feb 25, 2020
2 min read

OAuth 2.0 Authentication Concept

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Resource Owner Password Credentials Grant

Currently CxSAST supports the OAuth 2.0 resource owner password credentials grant type. This grant type is used in cases where the resource owner has a trust relationship with the client. The authorization server takes special care when enabling this grant type and only allows it when other flows are not viable.

The above diagram illustrates the following flow steps:

  1. The resource owner provides the client with its username and password.
  2. The client requests an access token from the authentication server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authentication server.
  3. The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token.

The client discards the credentials (username and password) once an access token has been obtained.

Prerequisites

  • Checkmarx CxSAST (v8.6.0 and above) installed
  • OAuth2 and SSO - If SSO is already configured on the system the Internet Information Services Manager (IIS) may need some additional configuration.

Go to Start > Search > IIS and open the Internet Information Services Manager.

From Sites > Default Web Site > CxRestAPI, select Authentication and enable Anonymous Authentication.

OAuth2 validity is set at 24 hours (default)

Confirm that these are the settings, if not, update them accordingly.

Restart the IIS service in order for the changes to take effect.

  • Configuration Keys – The following default value is provided in the CxComponentConfiguration database table in order to use the CxSAST (REST) API:

IdentityAuthority – In case using HTTP (and not HTTPs) or the machine name is not used as the Checkmarx domain (for example, when using a load balancer), the IdentityAuthority should be changed.

Authentication Procedure

For more information about the authentication procedure when using tokens, please refer to Using the CxSAST (REST) API (v8.6.0 and up).



Read more: