In my Word Addin I obtain a bootstrap token with the command:
const bootstrapToken = await OfficeRuntime.auth.getAccessToken();
I send this token to the backend to verify if the user has the right to our service. For that purpose I need some information about the user.
When I inspect the token on the jwt.io website I can see that the information I need is present in the token.
My question: Can I decode the token and extract the necessary information or do I need to use the bootstrap token to call MSGraph and get my information from there?
If all the information you need is in the bootstrap token, then you can just extract it and use it.
Related
We would like to have users authenticate to a Slack app by providing their current Keycloak JWT as a one-time authentication procedure. This would allow us to associate their Slack user ID with their Keycloak user ID.
However, I can't find any endpoint like AWS' GetCallerIdentity within Keycloak. I have combed the docs, and the closest thing I can find is an identity token mentioned here. However, I can't find anything about how to unravel that identity token to securely gain information about its owner.
Can anyone point me in the right direction?
Thank you!
Open ID Connect defines userinfo endpoint, which is similar to AWS GetCallerIdentity endpoint. But that requires to fire request. I would prefer to read user details from the token.
Standard JWT (OIDC) libraries support token decoding. Access/ID token has 3 parts: header, payload, signature. You can use base64 decode on the payload part and you will get json with user details. Of course proper implementation will read also header to get used algorithm and it will validates token signature with used IdP public key and algorithm. Otherwise someone can tamper token.
https://jwt.io/#debugger-io provides nice visual interface, which will help you to understand and also decode token structure:
Keep in mind: what is returned in the userinfo response depends on OIDC client configuration in the Keycloak
I am trying to authenticate user in firebase with KakaoTalk credentials. For that, I've got accesstoken from KakaoTalk. And then trying to authenticate user with that token. Here is my code :
String token = await kakaoService.getAccessToken();
await firebaseAuth.signInWithCustomToken(
token: token,
);
Got acceess token like this : nmAzFpOF9XrijP-ZoFpQbVluGZ4lLDbZxOCXIAo9c-sAAAFxrID6xA
But getting this error :
The custom token format is incorrect. Please check the documentation. [ Invalid assertion format. 3 dot separated segments required. ]
Whats wrong here? Am I missing something?
Check out the Firebase documentation regarding the use of custom token: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_a_third-party_jwt_library
Firebase needs to successfully decode the auth token your client submits then use its claims to validate access to your Firebase resources. As such, Firebase requires that custom tokens be formatted according to the rules spelled out in their docs. (They describe a very typical JSON Web Token.)
The access token you're getting from KakaoTalk does not follow Firebase's token rules so Firebase doesn't know what to do with it. I suggest you revisit the KakaoTalk docs to see if it can generate a standard RS256 JWT token with which Firebase can work.
It seems that the token returns by kakaoService.getAccessToken() is not a valid custom token for Firebase Authentication. In fact, given the error message, it doesn't even seem to be a JWT.
Custom tokens for Firebase Authentication must have a specific format, that is documented in creating custom tokens. You'll typically want to follow this process to get a valid token for Firebase Authentication:
Sign the user in to the identity provider (KakaoTalk in your case).
Decode the token from the provider, to get the verified information about the user.
Create a custom token for the user with the Firebase Authentication Admin SDK.
Use that token to sign in to Firebase on the client.
Steps 2 and 3 must happen in a trusted environment, such as your development machine, a server you control, or Cloud Functions.
I want to be able to download a file from an API call. For argument's sake, let's say it's an automagically generated PDF file.
I have two problems:
Anchor tags can't add Authorization headers to the request, only XHR can.
XHR requests cannot download files.
My solution is to write my API with an [AllowAnonymous] end point in it, which takes the access_token as a parameter. I then validate the access token by hand and return a 401 or stream the PDF.
Is there a better solution than this or, if this is the best solution, how do I validate the access_token within the API?
This approach is totally fine.
If you want to use middleware to validate the token - it depends which middleware you are using. The plain Microsoft JWT bearer middleware has some events you can implement to retrieve the token from a query string alternatively.
The identity server token validation middleware has a TokenRetriever property which also allows you to retrieve the tokens from multiple/alternative locations.
I need to implement the following functionality:
*send name and e-mail address of an user to an excel sheet in Dropbox.As soon as the user submits details,the data needs to get appended to the file.
i have made an app account in my dropbox, and got its key and secret, which is hardcoded in the app.Want to get rid of the login screen.How is it to be done?
Kindly provide some code examples as Im a newbie.
This is not possible now but may be in future.
Just refer this
In DropBoxSDK, Because the application doesn't call /oauth/authorize directly, there is no direct return value. After the user authorizes the application, use its request token to retrieve an access token via the /oauth/access_token API call.
Problem with my accessToken!!
accessToken is all right all the time.
It's standard format: AAA|BBB|CCC
I can get available current user's uid and session secret from a given accessToken( AAA|BBB|CCC)
BUT today fb server give me a strange accessToken unexpectedly.It's not useful for xmpplogin.
eg. AAACmERnbMSwBAB3XnOt4hnR71agtbo3CE8w2Xd7jD7QEURSiiOFV1Eg85tHsaHvVNobiUFppqzQcaXKjWOVSZCIFKvVsEJ4llZBfNI6AZDZD
could you give me a clue?I'm crazy to find answers whole day.
As per https://developers.facebook.com/blog/post/572/ the access token format changed recently to an encrypted format. All the APIs should work fine using this encrypted token including XMPP but it requires a minor code change to your XMPP code.
There was a blog post showing how to use the access token for XMPP auth on Sep 10.
Replace the session_key and sig parameters with the access_token parameter which should be the user access_token which has the xmpp_login permission - also note that it needs to be passed over SSL (which I believe was optional when you were only passing only the session key and sig)
If you can't get XMPP login working when you pass the encrypted access token, please file a bug in Facebook's bug tracker, but make sure you have the parameters changed per the note above and the chat docs.
The format of Facebook access token has changed recently. Now it is encrypted. At present if you want to get the user id of the owner of an access token issue a request in the following format
https://graph.facebook.com/me?fields=id&access_token='accesstoken'
This will return the Facebook User id of the owner of access token as a Json string. This request works even when the user is not logged in.