I have an application which currently works with Azure AD Oauth 2.0. It accepts the JWT token from AAD as a access_token and signs the user in. I am trying to setup this with Google IDP and I am running into an issue. Google IDP returns the JWT token as id_token which the application doesn't recognize and value returned in access_token is not a valid JWT. Is there a way to receive the JWT as access_token in Google? How can I achieve this? the Application can only accept JWT as access_token it cant be changed, this an application from Oracle Corp.
Related
I created docusign jwt access token for my application manually/php sdk with consent and used that access token in the code for restapi. Expiry of access token is 1 hr. How to renew the DocuSign jwt access token without asking consent again and again? Or how to prolong the expiry of access token?
You call request_jwt_user_token again and get the token from the response. You dont need to request consent again. Have a look at the recommended best practices here
I have a flutter Android app which implements Google sign in, and ASP.NET core Web API server, which using token-based authentication. Android app sends jwt token to server, which contains such information as email, username etc. So on server. I need a parameter, on which user can be authorized.
Does Google's JWT contains any information, which is unique for every account?
If jwt does not, is it possible to get a unique identifier after validating this token using GoogleJsonWebSignature.ValidateAsync(token)?
I want to use SAML login for a single web application with a REST API. How should I do this? Usually, say with OAuth, lets use Google/Firebase as an example:
SPA calls Google to login. Google returns a Google ID token
SPA can call Server with Google ID token which server can verify with Google and return an access token for use with the application
Firstly is this correct or did I get something wrong so far?
But with SAML, from what I can see, its user is redirected to SAML IDP, SAML IDP then redirects user to a server assertion URL. Because there is this redirect, how do I use it in the context of REST? I am unfamiliar with SAML, but I dont see a token. The server just gets an "assertion" with the user information?
Here is the sequence of events which happen when the application is using SAML for the authentication:
server should send a response to the client with the URL to SAML IDP.
client application redirects the browser to SAML IDP (1).
After successful authentication, SAML server sends response with the redirect back to the client. The browser automatically posts the HTML form SAML server to your server.
After validating SAML assert and successful authorization (you can use user's information or other attributes to authorize the user to use your application), your server should generate a token that now can be used by the client application.
This is a basic scenario.
See spirng-saml project here, you can try and play with the sample web application.
https://projects.spring.io/spring-security-saml
SAML assertion is an equivalent of id_token in OpenID Connect 1.0 that Google uses. There is no access_token in SAML. SAML is an authentication protocol.
OAuth 2.0 that uses access_tokens is an authorization protocol. That is why it provides an access_token to authorize access to your REST API.
OpenID Connect is an extension of OAuth 2.0 that supports user authentication in addition to API authorization and introduces id_tokens that contain user information.
One of the options to use SAML in your Single Page Application with REST API is to host them at the same domain. In this case you can:
Get an assertion from SAML Identity Provider.
Verify it (format, signature, lifetime, etc) on the server side.
Return a session cookie in the response to set it in the browser.
Each request to the REST API will come with a session cookie authorizing access to it.
I'm building an app that requires a Facebook Authentication Token.
Google'ing it I end up on https://developers.facebook.com/docs/facebook-login/access-tokens
This names the following tokens:
User Access Token
App Access Token
Page Access Token
Client Token
Are any of these a Facebook Authentication Token?
If not, how do you get one?
I ended up using this tool here:
https://smashballoon.com/custom-facebook-feed/access-token/
I have a web api which I want to secure using ACS, but I want to use ACS for authorization only. The flow I want is:
The user is redirected by the app to authenticate with Facebook and
the app receives a Facebook token.
The app sends a request to ACS with the Facebook token and receives
a new token, which he can use to access the API.
The user calls the API and passes the token received from ACS as
authentication/authorization for the API.
Is this flow possible? How do I set this up on the ACS side and the API side?
I already have the Facebook authentication working in the app. I would like to leverage the token I am already getting in order to call the API.