I am trying to add claims to the access token from a PingFederate Application.
I've added the apporpriate resources and have set up the mappings, but my access token only ever contains the sub. What do I need to do to get the email address in the access token.
What am I missing?
Related
I'm building a REST API and using AWS Cognito's user pools for authentication. I've got a "get_token" endpoint that returns the JWT access and refresh tokens to the user, which they use to authenticate access to the other REST endpoints provided by the API.
The access token has an expiration timeout. If the user of my API is an application program, what are the best practices for the application to handle when the access token expires? Does the application have to remember the username/password and re-authenticate to continue? Is using the refresh token to get a new access token and use that going forward the best approach?
Is there any documentation, suggestions anyone can point out that might help me out?
Cognito provides 3 types of tokens, id, access and refresh tokens when you login. The way this usually works is that you send either of the first two (depends on whether you want to be sending user payload information to your backend) to your backend via an Authorization header and verify the token there.
Your id and access tokens usually have a shorter expiration time compared to the refresh token. What you should do is, when the id (or access) token expire, you should use the refresh token to generate a new id (or access) token. When the refresh token expires that means that you can no longer generate new id/access tokens from it. In this case, the user (or app) must login again.
I'm learning about access tokens and refresh tokens. I understand...
An access token is an artifact that proves the user has been authorized to access a resource and allows a client application to perform specific actions on behalf of the user.
A refresh token is an artifact that lets a client application get new access tokens without having to ask the user to log in again.
I don't understand the following paragraph from this JWT book:
The key aspect of the separation between access and refresh tokens lies in the possibility of making access tokens easy to validate. An access token that carries a signature (such as a signed JWT) may be validated by the resource server on its own. There is no need to contact the authorization server for this purpose. Refresh tokens, on the other hand, require access to the authorization server.
The text is referring to the following image:
What exactly does "validate" mean here? How can the resource server validate the access token on its own? If the authorization server generates the access token, which it does in this case, isn't the authorization server required to validate the access token?
The only thing I can think of is that the resource server has a copy of the key used to sign the access token (see here). If so, doesn't that render the authorization server redundant?
JSON Web Tokens can be validated because, as you guess correctly, the resource server will have beforehand the public key of the private key that was used to sign that token. It means, that if someone in the middle tried to tamper the JWT, the validation will fail and the JWT should not be processed.
Also, the JWT contains fields as the expiration time that can be checked by the resource to understand if the token is still valid or not.
I read something like this:
1-Once a user logs in, you can generate a token and store it in MySQL database and share the same token with the response of login API.
2-Store the token using shared-preferences.
3-When a user opens the app, check if the token exists if it does, then send the token with all the APIs inside the request header which requires the user to be logged in.
But what is the point of using token if i was keeping it in database.Eventually this token related with userid and with this userid everthing can be reachable.So I want to ask why should I use some token to keep user loged in instead of user email or something.
Using token is much more secure and useable. Storing just token more secure becase in case of leak, the token can be revoked or something. On the other side storing user's username and password is security risk. Also, most of the services use tokens on their API's and there is no username+pass authorization. For example whole OAuth2 concept is built on top of this. In short, tokens are much more secure and flexible.
Optimal usage of bearer token using as a set with an access token and refresh token. While you are passing access token on header while you are making HTTP request typically access token dies frequently especially when security is a prominent feature of the app, like banking apps. When a user makes an HTTP request and if the access token is dead then you should refresh it via another API call with the refresh token and return the same API call with the new access token.
At first, i expected access token to be necessary while communicating with WL resource.
Expected flow:
1. WLAuthorizationManager.login(this.securityCheck ,{'username':username, 'password':password, rememberMe: true}).then(
2. WLAuthorizationManager.obtainAccessToken(this.securityCheck).then(
3. let resourceRequest = new WLResourceRequest('someURL', WLResourceRequest.GET)
resourceRequest.addHeader("Authorization", "Bearer " + accessToken);
4.
resourceRequest.send().then(
where 1 = login, 2 = get access token, 3 = add access token to header, 4 = access resource
However, i find that without 2, 3, i can still access the resource.
It comes to my concern what is the meaning of obtainAccessToken and add Authorization header.
Is there any token auto bound to WLResourceRequest after login?
Is there other way to login without using WLAuthorizationManager.login?
If ok, how to let server know the user logged in like using WLAuthorizationManager.login?
If the above is true, after custom login, can obtain access token?
Here's some background about these methods and their working:
WLAuthorizatonManager.login(securityCheck, credentials) logs into a
specified security check. This method does not create an OAuth token.
More details about WLAuthorizatonManager.login(securityCheck, credentials).
WLAuthorizationManager.obtainAccessToken(scope) returns an OAuth token
containing the specified scope.If the scope is mapped to a security check, it will trigger a corresponding challenge, which the client will have to handle to obtain the token. If obtainAccessToken(scope) is invoke after a successful login(securitycheck) call and if the scope is mapped to the same securitycheck, then you will not see a challenge. The OAuth token will be granted.
More details about obtainAccessToken().
WLResourceRequest object is used to send a request to any protected or
unprotected resource using an absolute or relative URL.
WLResourceRequest object automatically handles the MobileFirst
OAuth-based security model protocol and invokes the required
challenges.
Details about WLResourceRequest.
To answer your questions:
Is there any token auto bound to WLResourceRequest after login?
As mentioned earlier, WLResourceRequest automatically negotiates an OAuth token from MFP server containing the scope that protects the endpoint it is accessing. This may include multiple rounds of OAuth negotiation and also invoke the challenge handlers to handle challenges originating from the server. Once the right token has been obtained, the API automatically adds the token to the request in an 'Authorization' header.
Is there other way to login without using WLAuthorizationManager.login?
Instead of WLAuthorizatonManager.login(securityCheck, credentials), if a protected resource is accessed via WLResourceRequest or if WLAuthorizationManager.obtainAccessToken(scope) is invoked for a scope that is mapped to a security check, this will trigger a challenge response cycle that will end with a user identity and a token.
If ok, how to let server know the user logged in like using WLAuthorizationManager.login(securityCheck, credentials)?
MFP runtime takes care of this - regardless of if the user identity is set via WLAuthorizatonManager.login() or if WLResourceRequest / WLAuthorizationManager.obtainAccessToken(scope) triggers a challenge response cycle that goes through the securitychecl.
If the above is true, after custom login, can obtain access token?
Not sure what you mean by 'custom login', but you can always obtain an OAuth token using WLAuthorizationManager.obtainAccessToken(scope) or WLResourceRequest. The difference is that obtainAccessToken() will get you a token for the scope you specify, while WLResourceRequest will invoke an endpoint by obtaining an OAuth token covering all the required scopes automatically.
I've been developing my first REST API to serve as the back-end for a mobile application. I'm pulling info from different resources, and am a little confused when it comes to the token implementation (I'm using JWT).
The access token is used to ensure that the requester has access to the resource that is being called. My understanding is that I will then encode the user details in the ID Token, such that the relevant information can be returned. The refresh token is used as a security mechanism, to keep the user authenticated after the short-lived ID and access tokens expire.
The access token seems a little redundant, and maybe it is an interchangeable term for ID token? Can I just remove that part from my authentication scheme?
In the proposed scheme access and ID tokens are used interchangeably and do not provide any value over the other. All information provided in the access token can be stored in the ID token, or vice versa. The entire authentication scheme will then simply consist of an access token (containing both info on access permissions, and user info), and a refresh token (ensuring that users don't need to login again every t minutes).