oauthpasswordsauth0password-encryption

Accessing username and password through OAuth


I am trying to access the usernames and passwords of people entering my site, using the access token. However I am getting an authorization code not an access token. Is it also possible to have access to the username and password of people logged into my site that they use for other sites, so that my site can act as a plaintext password manager where they can see their passwords for all sites. But the OAuth token returns an encoded string instead of an actual username or password in plaintext, so I cannot see the passwords myself nor show them to the users. Please can I have some method to access the password without encryption?

I tried to use Auth0 as well but this did not work because of the same problem. None of the resources I tried were able to store and give plaintext passwords.


Solution

  • Passwords are (and should) one-way-encrypted, so even if someone successfully accesses their stored values, they will still be useless.

    In the following thought process RP will be raw password, that is, some text that the user enters when logging in in order to authenticate and EP will be the encrypted password, that is, the result of encrypting the password.

    It's important to be aware of this congruency:

    encryption(RP) === EP

    So, when a password is being stored, encryption(RP) is being called and the resulting EP is being stored into the place where it is to be located, usually into a database.

    When a user is logging in, he types in RP and the backend will call encryption(RP) and compare with the EP of the user to be authenticated. If encryption(RP) does not match the stored EP, then the user entered an incorrect password. Otherwise he entered a correct password.

    Now, you want to check the passwords of the users. The best way to do this is to have an authentication that does not allow users to register with weak passwords.

    Yet, if you want to detect which already stored passwords are weak, then you can do the following: