If I am logging in to some site xyz.com using facebook or google or twitter account credentials - then what type of OAuth grant type is it?
Because there are several grant types used by OAuth, I want to know which particular grant type is used in above scenerio.
Client Credentials Grant:-
This grant type is for apps that can request an access token and access resources on its own. These apps often use services that call APIs without users.
Client Credentials Grant Type Roles
The Client Credentials grant type uses the following roles:
Application: A client that makes protected requests using the authorization of the resource owner.
Authorization Server: The Single Sign‑On server that issues access tokens to client apps after successfully
authenticating the resource owner.
Resource Server: The server that hosts protected resources and accepts and responds to protected resource requests using access tokens. Apps access the server through APIs.
Related
Our application has it's own login/signup and user management portal. We don't want to redirect the user to keycloak login page, due to which authorization code grant flow is out of the picture. I am trying to find a way to use spring cloud gateway's TokenRelay filter with password grant.
I have two services: Service A and Service B
I have a central Identity Server that issues and validates tokens.
I need some of the resources of Service B to be accessed only by Service A.
How do I validate the audience, or how do I make sure that for ex.
the client credentials token of Service A is valid when calling
Service B, and tokens from other services are invalid.
Is it a bad practice or are there any issues in using authorization
code grant type for service to service authorization ?
When you issue a token for client credentials, then the subject of that token should be Service A. It will either be in the sub claim of a JWT (if you use JWTs for access tokens), or you will be able to get that information from an introspection endpoint (if you use opaque access tokens). Service B can use that information to reject any request with tokens where subject is not Service A.
Authorization code grant type assumes there is a resource owner (a user) and a browser available. It looks like in your case it will be impossible to implement authorization code flow, as you have two services talking directly to each other. Anyway client credentials should be enough for your needs.
I want to secure a rest service with basic authentication. The credentials should be used to obtain an access token from a keycloak instance for that client and check the allowed roles on the service.
The quarkus security architecture guide states that at least one extension installed that provides a username/password based IdentityProvider is required. It refers to JPA IdentityProvider and JDBC IdentityProvider, only. But I want to authenticate agains keycloak.
I have successfully setup a web app and a rest service with quarkus-oidc. It authenticates the user and provides access to the rest service via access token.
I also used properties files with basic authentication successfully.
My keycloak myclient setup has Direct Access Grants Enabled with Access Type set to confidential.
My configuration in application.properties:
quarkus.oidc.enabled=true
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/myrealm
quarkus.oidc.client-id=myclient
quarkus.oidc.credentials.secret=secret
quarkus.http.auth.basic=true
Is this a valid combination?
When I debug into HttpAuthenticator constructor the only mechanism found is OidcAuthenticationMechanism, I'd expect BasicAuthenticationMechanism to be present.
I didn't touch AAD before, but I have to use it for authenticate users for my REST service.
I have a mobile client that can authenticate a user on AAD with OAuth2. As a result it has a bearer token.
This bearer token mobile client should use as a parameter in a request for protected REST service.
REST service is a Java-based application (spring-boot) and it was registered in AAD as a Web application, but I can not find a way how it can connect to AAD for check is token valid or not.
I expected to have something like /oauth2/check_token endpoint that can take a token value and return a user data, but I didn't find anything.
Is it possible to use AAD for authentication users for third-party applications and if yes, how to do it?
The token issued by AAD is a signed JWT token. You do not need to communicate with AAD to verify the token is valid. If you trust the issuer (AAD) and the token is valid (correct audience, valid signature, not expired etc.), you accept the claims in the token.
See this article for the steps to validate the JWT token.
I saw the word "endpoint" many times in OAuth documents.. However, I still don't know what does this word really mean.. Does anyone have ideas about this?
The OAuth 2.0 Authorization Framework
The authorization process utilizes two authorization server endpoints
(HTTP resources):
Authorization endpoint - used by the client to obtain
authorization from the resource owner via user-agent redirection.
Token endpoint - used by the client to exchange an
authorization
grant for an access token, typically with client authentication.
Its basically the HTTP web address of the authentication server. It could probably be server addresses depending upon how its worked. The first is for requesting access of the user the second could be for granting access to the application. this probably depends upon how the Authentication server is set up.
OAuth endpoints are the URLs you use to make OAuth authentication requests to Server. You need to use the correct OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints depend upon the system you are trying to access.
Example Google has two end points:
Request access of user:
https://accounts.google.com/o/oauth2
Exchange tokens
https://accounts.google.com/o/oauth2/token