Based on the diagram you can see above (Oauth authrization flow). Reference https://youtu.be/oKzeHshquCs?t=1949
Using user credentials (username, password), we are attempting to
get an authorization code (login).
Authorization code received.
Using the received authorization code we are now requesting an
access token.
When access token is given. This access token will be
now used to access the resource server (as Bearer Token).
I would like to ask how to implement this using API, using the latest implementation of OAuth2. Using custom REST API's on the Authorization Server.
Scenario: using two api's ('/auth/code' then ''auth/token'')
Using user credentials (username, password) the user will request on
api '/auth/code', where authorization_code as the response.
Using the recieved authorization code (from #1), we will request an access
token on '/auth/token'. Access token will be used as bearer token on
the authorization server.
Or if we can do this two step (#1 and #2 above) on one API process (auth/token) would also be great.
Do you have any working project in regards with this?
I have explored the code of Baeldung, but based on this implementation, it is still using the default implementation of spring security. It would be my great pleasure if there are Senpai's out there can help me with this. Thanks :)
There's no such API to get an authorization code directly passing the user credentials. Usually, there would be an API (/as/authorization), which redirects the user to the login page. Once the user enters his credentials, he will be redirected to the target application with the authorization code in code as the query parameter of the URL. (You need to configure your app's URL as a redirect URL or callback URL in the Identity provider)
This code is usually short-lived and can't be used more than a time. (i.e) You can use this code only once to get an access token. When you exchange the code with an access token, you should be seeing refresh_token (if you granted access to refresh_token grant_type in the IdP) as well with which you can request tokens in the future.
You need to configure all these things in an Identity Provider. This could be PingIdentity, Auth0, etc.
Make a call to /as/authorization API
Once user enters his credentials and redirected to the target application, extract the code from the query parameter and make a call to token API (oauth/token) to get access_token and refresh_token
Once the access_token is expired, use the refresh_token to get a new access_token (grant_type should be refresh_token).
Once the refresh_token is expired, you need to again get the authorization_code again with the /as/authorization API.
Related
I've implemented an application that redirects to the wso2 identity server login page. If the login is successfull the user is redirected to a page where he can read his profile details.
Based on his role he can perform certain action, like create a new user.
I've implemented an API (http://localhost:8080/add-user) that calls this URL ( https://localhost:9443/t/carbon.super/oauth2/token) to generate the access token with the desired scope (for example internal_user_mgt_create) that I need in order to call
the wso2 SCIM2.0 API (https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/createUser).
Everything works if I use grant_type=password and I use the user credentials to generate the access token to call the wso2 SCIM2.0 API, but I want to use "authorization_code" as grant_type to avoid sending user credentials in my application.
How can I do that? And I know that one of the parameters that I need to use this flow is "code", where can I get its value?
You can configure authorization code grant in your application by selecting the Code from the Allowed Grant Types list OAuth/OpenID Connect Configuration in your application. [1]
When using the auth code grant your application needs to wso2 authorize endpoint to obtain the authorization code Using this authorization token and client secret you can obtain the access that is capable of calling the scim endpoint.
Refer to following documents for more information
[1]. https://is.docs.wso2.com/en/latest/guides/access-delegation/authorization-code/
[2]. https://medium.com/identity-beyond-borders/generating-access-tokens-using-wso2-identity-server-4d8c084a3bf5
It's harder to provide an exact answer to this question without knowing more details about the app and the flow you'd expect your users to go. However, it'd be much easier if you have a better understanding of the OAuth2 code grant type. The following is the basic flow.
The user accesses your application through a web browser.
Your application redirects the user to the identity server, with the following parameters in the request.
client_id=xxx
response_type=code
redirect_uri=yyy - Location in your application where you want to get the authz code. This needs to be registered with the IS service provider beforehand.
scopes
The IS prompts the user to log in.
The IS then redirects the user to the given redirect URI, with the authorization code.
Once the code is received by the client, it makes a back channel call to the token endpoint of the IS (https://localhost:9443/t/carbon.super/oauth2/token) with the following parameters.
grant_type=authorization_code
client_id=xxx
client_secret=zzz
code=ccc
IS validates the code and issues an access token.
Read more on OAuth2 here.
Now, if you're getting the "Inactive authorization code" error, your application might already be calling the token endpoint with the code received, before you call your add-user API.
Ideally, your add-user API shouldn't call the token endpoint at all. You should call the token endpoint from your application, get an access token and pass that to the add-user API if needed. Or you can directly call the SCIM API from your application itself.
I hope this helps!
I would like to integrate PayPal signin into an android app so to authenticate the client to the Firebase Database. I've managed to create a custom funtion on the node.js server that creates tokens from the provided uid, in order to use "signin withcustomtoken" function in the client application. Should I send the uid to the nodejs server through https in order to get the token? Is there a better way?
Don't create an HTTP endpoint that accepts a uid and returns a custom token. This is a huge security vulnerability as any attacker would be able to impersonate any user knowing their uid.
What you need to do is the following:
Implement a paypal OAuth code flow. You can use third party libraries for that.
When you get the paypal OAuth authorization code, you send it to your backend, you use the paypal client ID and secret to exchange for a paypal refresh token and access token. You can then get the user info associated with that paypal user including their paypal uid. You would then mint a Firebase custom token using the Firebase Admin SDKs and return it to the client.
On the client you would signInWithCustomToken to complete sign in with that custom token.
In this case you are exposing an HTTP endpoint that takes an authorization code and returns a Firebase custom token.
This is the basic idea (details excluded). Of course you still have to ensure the flow starts and ends on the same device by passing some state and then check that you get it back in the end. You also have to ensure the auth code is returned to the correct app using something like app links, etc. Firebase Dynamic Links can be helpful there.
I have a Web API built in Java that returns database information to an SPA. I need to check the user's group information using AAD Graph API before delivering the response. Right now the Web API accepts the request and reads the user's token (eyJ...).
What are the next steps for the application to be ready to send a request to Graph API on behalf of the user?
I have tried sending the request with the Authorization: Bearer ey... header using the user's token but receive a Authentication_MissingOrMalformed error. I have also tried various edits to the app manifest and delegated permissions with no luck.
The access token that your API received is intended only for your API. What you need is to obtain a new access token, on behalf of the current user, for the Azure AD Graph API.
Fortunately, this is exactly what the on-behalf-of flow is for. From Authentication Scenarios for Azure AD:
Delegated User Identity with OAuth 2.0 On-Behalf-Of Draft Specification
The flow discussed below assumes that a user has been authenticated on another application (such as a native application), and their user identity has been used to acquire an access token to the first-tier web API.
The native application sends the access token to the first-tier web API.
The first-tier web API sends a request to Azure AD’s token endpoint, providing its client ID and credentials, as well as the user’s access token. In addition, the request is sent with an on_behalf_of parameter that indicates the web API is requesting new tokens to call a downstream web API on behalf of the original user.
Azure AD verifies that the first-tier web API has permissions to access the second-tier web API and validates the request, returning a JWT access token and a JWT refresh token to the first-tier web API.
Over HTTPS, the first-tier web API then calls the second-tier web API by appending the token string in the Authorization header in the request. The first-tier web API can continue to call the second-tier web API as long as the access token and refresh tokens are valid.
Be sure to configure your API to request the right set of permissions for the Azure AD Graph API.
Edit: If you are constructing the token request yourself, the request that your API would make to Azure AD to get a new token to the Graph API on behalf of the current user would be a POST against:
https://login.microsoftonline.com/{tenant-id}/oauth2/token
With the following parameters in the body (un-encoded, for readability, in reality these would be application/x-www-form-urlencoded, of course):
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
requested_token_use=on_behalf_of&
assertion={access-token}&
client_id={api-client-id}&
client_secret={api-client-secret}&
resource=https://graph.windows.net&
scope=openid
Where {tenant-id} is the directory identifier (domain name or Guid value), {access-token} is the access token that your SPA provided to your API (the one you're exchanging for an access token to the Graph API), {api-client-id} is the client ID for your API, and {api-client-secret} is the API's secret password credential.
(Note, for simplicity, this example uses password credentials (client_secret) to authenticate the API, though it could very well be using instead an assertion signed by a client certificate.)
When connecting to the google services from a desktop app user is required to enter access code provided to him to generate accessToken.
I can't quite understand how to properly save it and restore into GoogleCredential so user wouldn't have to authorize my app on every launch.
Can somebody provide me with a code snippet of this process or a more detailed instruction than the one Google provides?
First you have to register your project into the Google Developer console. From the console your will get some credentials like: cliend id, client secrets.
Now when you want to authorize your application u need to get an access token. But before u have to get an "authorization token". For this u need to use an url like this
https://accounts.google.com/o/oauth2/auth?
redirect_uri=yourredirectpage&
response_type=code&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar&
approval_prompt=force&access_type=offline
The response of this request contains the authorization token. Now you can exchange the authorization token for the access token with another request:
https://accounts.google.com/o/oauth2/token?
code=4/oIdtdqPBW67CTSpijkm_fbwCqMjF_WJPiSmvsq8zScA.Ilw2ePhp3fQeoiIBeO6P2m_Usz4vlgI&
client_id=1070885696038-32m83k9ties5m7qsi4g6v8dfo28f2r9g.apps.googleusercontent.com&
client_secret={your_client_secret}&
redirect_uri=yourredirectpage&
grant_type=authorization_code
Where "code" is the authorization_token.
For more details check this: Google Api OAuth
I'm having a hard time wrapping my head around how to authenticate a user in my REST service. I plan to use Google Sign-in (on Android, namely). I can't quite figure out how to authenticate users on my server. I do not want to have any authorizations (other than validating the identity of the user), all I want to do is when I receive a request, validate that the user is who he (or she) says he is.
My understanding is that the user will login, get some sort of token from Google, then send that token along his request to my server which I will use to validate his identity. However, from what I read, the user will encode their requests in a JWT (json web token), which I will then use to validate their identity without ever talking to the Google server directly. Did I understand properly?
On Google's documentation, it says
If you do not require offline access, you can retrieve the access token and send it to your server over a secure connection. You can obtain the access token directly using GoogleAuthUtil.getToken() by specifying the scopes without your server's OAuth 2.0 client ID.
But it does not say what the server should do with the token.
You have an android app which enables user to log in via Google+ Sign-In, and then this Android app will call your REST API. What you want is how your service authenticates this request. This Android client will send request to your service with token, and you need to validate this token for authentication. Is my understanding right?
If so, you need to validate the token sent to your service. The reference you mentioned is for Google API calls, in your case; it's your own service API call. For the Android side, just follow the reference, in your service side you can use TokenInfo validation to authenticate users.