Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Zally should report at least a warning if HTTP scheme is used in combination with OAuth2.0
See original GitHub issueOAuth2.0 enforces HTTPS as protocol but Zally does not report at least a warning if the spec has both http and https as schemes defined in combination with oauth2 as security definition.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:8 (7 by maintainers)
Top Results From Across the Web
The connection test of the OAuth 2.0 integration fails with the ...
After configuring an OAuth 2.0 integration in ⚙ > System > OAuth 2.0, when clicking on the Test connection button, the error "The...
Read more >Zalando RESTful API and Event Guidelines
MUST use HTTP methods correctly; MUST fulfill common method properties ... Note: Do not use OpenAPI oauth2 typed security scheme flows (e.g. implicit...
Read more >Using OAuth 2.0 for Web Server Applications | Authorization
This document explains how web server applications use Google API Client Libraries or Google OAuth 2.0 endpoints to implement OAuth 2.0 ...
Read more >RFC 6749: The OAuth 2.0 Authorization Framework
RFC 6749 OAuth 2.0 October 2012 Table of Contents 1. ... The authorization server MUST support the HTTP Basic authentication scheme for authenticating ......
Read more >OAuth API verification FAQs - Google Cloud Platform Console ...
Last modified on: December 15, 2022 If your app uses Google APIs to access Google users' data, you might have to complete a...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Do you see benefits in reviewing this type of internal APIs? They are mostly defined a priori by the consuming side anyway and/or follow industry standards. (Spring Actuator Metrics, Prometheus, etc.)
If you submit OAuth Bearer tokens the endpoint MUST be HTTPS. HTTP would allow to sniff the tokens.
Monitoring endpoints which are only accessed by ZMON appliance inside the same AWS (and therefore maybe exposed via HTTP (which is only valid of they require no OAuth token IMHO)) should not be part of the public API anyway (again IMHO)