OAuth Settings

Modified on: Thu, 17 Nov, 2022 at 4:14 PM


OAuth is an open standard for authorization. It allows Maltego users to log into third party providers with their credentials and have an access token returned to the tool. This access token can then be sent to the Transform which in turn can request information from the provider on behalf of the end user.

OAuth within the Maltego Client

Within the Maltego Client, the OAuth providers can be found under the Transforms tab by clicking on the Manage Services button:


After clicking the button you will be presented with the Service Manager panel which describes the available OAuth providers configured as well as the ability to login and logout of the various providers:



Within the application, if any Transforms require OAuth tokens, you will be prompted to login before the Transform is run.

Configuring the OAuth providers in the iTDS

Clicking OAuth Settings from the home page of the iTDS server leads you to a list view of all the OAuth settings that have been setup for your iTDS server. Clicking Add OAuth Setting will lead you to the page below where a new OAuth setting can be configured:

The OAuth settings fields on this form are explained below:

  • Authenticator name - This is the overall OAuth provider name.
  • Description - A description of the OAuth provider, something like "LinkedIn Provider".
  • Version - Which version of OAuth being used, the currently supported versions are OAuth 2.0 and OAuth 1.0a.
  • Access token endpoint - The endpoint that the Maltego client will request for the access token.
  • Request token endpoint - The endpoint that the Maltego client will send the user to for application approval.
  • Authorization URL - URL used to by the client to approve/grant access tokens.
  • Application/API key - API or Application key that the developer is issued from the provider.
  • Application/API secret - API or Application secret/private key that the developer is issued from the provider.
  • Icon - Base64 of the 64x64 pixel Icon to be used within the Maltego client application.
  • Access token variable name - The variable name used within the Transforms (this is what the Transform will receive).
  • Variable description - Simply describes the variable used.
  • Public Key - The public key used to encrypt the access token when it is sent to the Transform code itself.

OAuth Endpoint Configuration

Sometimes OAuth Endpoints, such as the Authorization URL, may be lengthy, and to reduce the length, Maltego TDS makes use of configuration parameter placeholders as illustrated below.


For OAuth 1.0a, only "token" can be used as a replacement variable, e.g. http://example.com/oauth1/authorize?oauth_token={token} where "token" refers to the token received from the OAuth Provider during the Authorization flow. 



For OAuth 2, "apiKey" and "callback" can be used as replacement variables in the authorization URL, e.g. http://example.com/oauth2/authorize?client_id={apiKey}&redirect_uri={callback} where "apiKey" refers to the Application Key setting in the TDS.


"Callback" will be replaced with the callback URI set in the Maltego Desktop client and this URI must match the value as that of the redirect_uri set in the OAuth application.


Most OAuth 2.0 Providers require a Call back URL to be included as an URL parameter in one or all of the endpoint URLs. Please Refer to the applicable API or OAuth provider documentation for URL parameter requirements.

To ensure that the Maltego Desktop Client uses the correct** Call back URL*, please specify theprotocol* and TCP port in the** Service Manager **configuration for the applicable provider. This is an additional setting which the Maltego Desktop Client user needs to apply before attempting to log into the OAuth Service Endpoint. Ensure that you provide your users with the correct setup information.

Refer to Managed Services for instructions on how to configure this is in the Maltego Desktop Client.

Read more about OAuth Integration and using OAuth in the Transform development guide here: OAuth Integration Example - LinkedIn.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.