I'm trying to verify subscription purchase in our backend servers, considering from this hms-iap-serverdemo GitHub repo.
I'm trying to connect OAuth 2.0-based authentication servers using app ID and app secret. I took ID and secret from AppGallery Connect → my app → app information. The auth servers returns base64 encoded token. When I try to verify with this subscription purchase, I am getting ResponseCode:6 ResponseMessage:Token is expired or invalid InappPurchaseData error from server.
The status of the application is currently draft. Is that why I'm getting this error? I believe client ID and client secret is correct. Or something else. I do not know. Do you have an idea?
Thank you
ResponseCode:6 ResponseMessage:Token is expired or invalid InappPurchaseData
The possible causes are as follows:
Check whether the token is invalid.The token validity period is 1 hour. If the token expires, obtain a new token to ensure that the token is valid.
Check whether the AT is invalid and whether only the AT in the cache is obtained. If the AT is invalid, clear the cache and obtain the AT again. Generally, use the token interface to obtain the application-level AT again.
For details about how to obtain the application level AT, see docs.
The token format is incorrect.
According to the docs:
App-level access token: Authorization: Basic Base64(APPAT:atvalue)
Example: The app-level access token is thisIsAppAtValue, then APPAT:atvalue is APPAT:thisIsAppAtValue.
Therefore, replace APPAT:atvalue in Base64(APPAT:atvalue) with "APPAT:thisIsAppAtValue" to generate value QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==.
The value of Authorization in the request header is as follows: Basic QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==
The site request is incorrect.
Switch to a proper site based on your location and try again.
China: https://subscr-drcn.iap.hicloud.com
Germany: https://subscr-dre.iap.hicloud.com
Singapore: https://subscr-dra.iap.hicloud.com
Russia: https://subscr-drru.iap.hicloud.com
Related
I'm learning about access tokens and refresh tokens. I understand...
An access token is an artifact that proves the user has been authorized to access a resource and allows a client application to perform specific actions on behalf of the user.
A refresh token is an artifact that lets a client application get new access tokens without having to ask the user to log in again.
I don't understand the following paragraph from this JWT book:
The key aspect of the separation between access and refresh tokens lies in the possibility of making access tokens easy to validate. An access token that carries a signature (such as a signed JWT) may be validated by the resource server on its own. There is no need to contact the authorization server for this purpose. Refresh tokens, on the other hand, require access to the authorization server.
The text is referring to the following image:
What exactly does "validate" mean here? How can the resource server validate the access token on its own? If the authorization server generates the access token, which it does in this case, isn't the authorization server required to validate the access token?
The only thing I can think of is that the resource server has a copy of the key used to sign the access token (see here). If so, doesn't that render the authorization server redundant?
JSON Web Tokens can be validated because, as you guess correctly, the resource server will have beforehand the public key of the private key that was used to sign that token. It means, that if someone in the middle tried to tamper the JWT, the validation will fail and the JWT should not be processed.
Also, the JWT contains fields as the expiration time that can be checked by the resource to understand if the token is still valid or not.
I am trying to validate my purchases(for now consumables). For this reason i am developing small server app. I found out this git package hms iap server demo
In DemoCofig script has need 2 variable
ClientId, ClientSecret. I getted from app gallery connect dashboard from Project Settings->App Information.
After pruchasing i am writing the console my purchase token which i getted InAppPurchaseData.PurchaseToken.
and i am requesting from my server to IAP Server. It always returning:
"{\"responseCode\":\"6\",\"responseMessage\":\"Token is expired or invalid\"}"
Purchasing job is working on SandBox(Test), I am trying to reach : https://orders-at-dre.iap.dbankcloud.com.
I am not clearly understand which token is expired or invalid ? Access Token or my purchase token ?
"{\"responseCode\":\"6\",\"responseMessage\":\"Token is expired or invalid\"}"
This interface prompts that the token is invalid or expired. Generally, the token is an AccessToken (the validity period is 1 hour, AT for short). The validity period of the purchaseToken is 30 days. (There is also a possibility of expiration, but it is much less likely than the former).
The possible causes are as follows:
The AT has expired. In this case, the AT needs to be obtained again (high probability).
API for Obtaining an App-Level Access Token
Invalid AT format (medium probability)
Ensure that the format of the request body is correct when the AT is used as the request body.
The authentication information is specified based on the request header. The details are as follows:
Authentication information is specified based on the request header:
App-level access token: Authorization: Basic Base64(APPAT:atvalue)
Example: The app-level access token is thisIsAppAtValue, then APPAT:atvalue is APPAT:thisIsAppAtValue.
Therefore, replace APPAT:atvalue in Base64(APPAT:atvalue) with "APPAT:thisIsAppAtValue" to generate value QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==.
The value of Authorization in the request header is as follows: Basic QVBQQVQ6dGhpc0lzQXBwQXRWYWx1ZQ==
For details check this docs.
The purchaseToken does not match the appID (low probability).
Site request error (low probability)
You can also refer to this forum similar questions, but it is in Chinese, you can translate it.
I'm building a REST API using Elixir's Phoenix framework. In the API, I need to authenticate the user by phone number i.e., via sending an SMS OTP code. After authenticating the user, the Auth server sends the Access token and Refresh token to the client. The client(mobile app) stores those tokens locally and sends the Access token in the HTTP header as Authorization: Bearer <Access_Token> in every request to resource server. My actual question is, how do resource server validates the Access token that is received from the mobile app/client?
Does resource server needs to contact Auth server to validate the Access Token? That would a lot of overhead. Please help me understand RestFull API Authentication.
Thanks for taking the time to read my question.
It sounds like you have everything working up to validating the token. You are going to need the public key for the server that signed the token. It depends on what auth server you're working with on how you get that. In some cases you may be able to preload this key as a configuration setting on your backend. Otherwise you can probably get it via https request to the auth server. Most auth servers these days I expect to provide a JWKS api that you can use to get the keys you need. Then with the token and the public key you can use your elixir jwt library to validate that the token you have was signed by the server you trust, meaning the SMS code was validated, and you can proceed with whatever is needed in the backend to handle the request.
If you're using Joken for elixir you can review https://hexdocs.pm/joken_jwks/introduction.html and https://hexdocs.pm/joken/introduction.html for more information.
how do resource server validates the Access token that is received from the mobile app/client?
The same way a nightclub bouncer verifies your driving license as proof-of-age to let you in: by validating the authority and signatures, but it does not need to phone-up your DMV to verify that your license is real because it trusts the signatures (in this case, cryptographic signatures).
That said, some systems do use "reference tokens" which are short (say 32 bytes) of meaningless random data which are used as an unpredictable record identifier for some user-permissions record held by the authorization server. The resource-server will need to contact the auth server initially, but then it can simply cache the auth result itself for some time window.
In my REST API, user will log in with their username and password for the first time.
When they logged in successfully, we will response with the following format.
{
"token": "0c7f8b870675bc61d92baeef1e274c2d31343736393530373230",
"expire_on": "2016-11-19T18:05:20+0000",
"user_id": 30,
"user": {...}
}
On the subsequent to the REST API, we will just send token in the header to verify the user. token is 52 letters long.
Is it secure enough?
Should I send both token and user_id to verify to secure more?
It depends on how do you generate your token.
If someone can guess how they are generated then it can create a fake one.
If this is a random string that is saved on your server and for each request you check the existence in your server then you are safe.
The best current solution for stateless token is JWT. Take a look at https://jwt.io/
Did you implement your authentication layer? I would suggest having a look at the Oauth2 specification and you are interested in the section when the grant_type is password. If you follow it, it will be safe to return just the access token:
5.1. Successful Response
The authorization server issues an access token and optional
refresh token, and constructs the response by adding the following
parameters to the entity-body of the HTTP response with a 200 (OK)
status code:
access_token
REQUIRED. The access token issued by the authorization server.
token_type
REQUIRED. The type of the token issued as described in
Section 7.1. Value is case insensitive.
expires_in
RECOMMENDED. The lifetime in seconds of the access token. For
example, the value "3600" denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server SHOULD provide the
expiration time via other means or document the default value
.
I'm new to ReST and am implementing a ReSTful token authentication, trying to use Django-Rest-Framework JWT, in a mobile web app in the standard way
client sends credentials
server verifies and sends token and expiration date back. Deletes token from db
client calls refresh token when user makes request and token is about to expire
on client request, server verifies token signature
on expired token mobile app logs user out. Mobile app checks expiration not server
I decided to make the mobile app check the expiration date since I read that is ReSTFul, and the server checking it requires it to store tokens which is not ReSTful
I have a few security questions regarding the above implementation:
1) Doesn't obtaining one token give the attacker complete access to the user's login no matter how many token refreshes happen?
Even if it's over https, let's say by some means a token was retrieved by an attacker, i.e. ssl interceptor proxy.Obviously the mobile application won't allow them to login, but they can grab data by calling the api with the token through any HTTP client.
2) What is the purpose of having refreshing tokens in the first place if the server considers all of them as valid?
There seems to be no forward security in this.However, if the server stored the tokens and kept their expiration dates, a complete user compromise would be stopped, but not a per session compromise. Obviously with an SSL interceptor they could still compromise the user, but would need to catch every login. However that implementation is not ReSTful.
First of all, expired tokens are valid tokens, but you can check if token expired or not, before taken any action, and reject the ones expired. There are several things you can do to increase the security of your app:
You can add the hashed password inside token. Therefore if user lost his/her mobile, when password changed in another device, you can reject the tokens with old password hash.
This one is not totally restful, but not that bad as well: you can add a table called revokedTokens in db which keeps track of id of tokens (obviously you should add it to token) user revoked, if you receive request with that token later on, you can reject it until it expires. when it expires you can remove from the table, as expired tokens won't be a problem anyway.
You can add the device's host name when user logs in to the token, and compare it with the request's host name, to have additional layer of security for ssl interceptor attack. Yes, it's not total protection, but still a bit better, as attacker needs to change his/her host name in addition to sending the token from another device.
Hope this helps.