AzureAd get groups info when not in token - jwt

I few days ago I configured my AzureAd to get Id_Tokens for my app also with groupIds claims within the token.
Everything works fine, but if I add more than 5 groups to an user it fails because azure add the "hasgroups": "true" claims because token is to big to add it in the URL so I have to perform another request.
The point is that I am not be able to perform the request to then obtaining the groups. The token ID_TOKEN I have received is the following:
for the backend and front end azureAD filter this token is perfect and works fine
Then as it it said in the official Microsoft azure docs I have to perform another request to https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects
As you can see the aud claim is the same as my app client ID:
I am trying to perform the request with postman because I need it and this is the result
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure. Invalid audience.",
"innerError": {
"date": "2020-07-08T13:56:50",
"request-id": "6b2f3374-33e4-4a1a-9709-b8111cd2bc66"
}
}
}
As you can see the aud is not invalid because is the same as client_id
What am I doing wrong>? I have spent a lot of time dealing with that and I can't find the solution.
I have also tried with POST request and BODY
UPDATE
I found the problem, the problem was that I was using an id_token instead of a access_token. But for me ot would be ususer to be able to extract such information only by using id_token.
I still have a horrible inconvenience, because if you can only use access token I will have to change half the application because is only the front end which have access token and in backend I have aspects that were using id_token with the group information contained and did not need the access token at all .Now front end should have to add access token in every request header to be captured in backend to run son filters and aspects that are executed and require such information
Is it possible to get the same info but with id_token instead?

Instead of Get request use Post request for below query
Post https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects
{
"securityEnabledOnly": true
}
Please refer to this document
If you want to try with Graph explorer here is the link

Related

Retrieve email from token | #auth0/auth0-spa-js

I have been trying to upgrade to #auth0/auth0-spa-js from auth0-js, although I could not get my head around reading an email from a token which in turn was obtained from await useAuth0().getTokenSilently()
I use jwt.io to decrypt the token, and this is what I get in the payload:
{
"iss": "https://TENANT_NAME.auth0.com/",
"sub": "auth0|SOME_HASH",
"aud": [
"https://API_IDENTIFIER",
"https://TENANT_NAME.auth0.com/userinfo"
],
"iat": 1563699940,
"exp": 1563786340,
"azp": "SOME_OTHER_HASH",
"scope": "openid profile email"
}
When I was using auth0-js I could just add scope: "openid email" to new auth0.WebAuth({...}) and voilà – I had email and email_verified in the payload of the decrypted token.
I believe the 2 part series of tutorials were not able to answer my question, and retrieving the token from a hooked getTokenSilently() inside my Apollo configuration was also a challenge on its own. I like the redirect implementation for SPA, however. Please, can you suggest a proper way to include email and email_verified in the token's payload?
UPDATE
By reading this piece of documentation on api-tokens I understood the token I am getting from getTokenSilently() is called the access token. I have been using ID tokens in all of my requests' headers till this day, and that was probably a bad approach:
In the OIDC-conformant pipeline, ID Tokens should never be used as API tokens.
Also, the documentation says:
The token does not contain any information about the user except for the user ID (located in the sub claim).
In many cases, you may find it useful to retrieve additional user information. You can do this by calling the /userinfo API endpoint with the Access Token.
Which I did by following the shell example. I have sent the request with my access token and magically got an object containing the user's profile information from Auth0's Custom API.
We got close, what is an algorithm converting the "sub" into user profile residing inside Auth0's Custom API which I can implement for my backend written in ruby?
Yes, as you mention, ID tokens should not be used as API Tokens. They have a different usage (and you don't want your API Token to be too big, because you send it in each request's headers).
To get the user email, you can just fetch the UserProfile given in the ID Token. To achieve that, you just have to call getUser instead of getTokenSilently.
If you want more infos about the user, you have 2 ways to fetch user info:
You use the Auth0 Management API to fetch the user infos, based on the user id (in the sub claim of the ID Token) and using this API endpoint. In Ruby, you can just use a basic HTTP request.
You use a rule to always include specific fields in the ID Token. For example, you can include user_metadata and app_metadata in your ID Tokens. That way, you can use it without additional API call. To achieve that, you will need a specific Rule that will run when ID Tokens are generated (more general API doc).
An example rule that would add all user_metadata and app_metadata to the ID token would be:
function (user, context, callback) {
const namespace = 'your_url_namespace_just_for_cosmetic_but_required/';
context.idToken[namespace + 'user_metadata'] = user.user_metadata;
context.idToken[namespace + 'app_metadata'] = user.app_metadata;
callback(null, user, context);
}
And you will have the info in your ID Token for your frontend to use.
For the record, more rules examples on this hard-to-find page.

LinkedIn - Getting Access Token Error

All,
I am facing authentication issues that I see others have also complained about. Following official documentation I was able to get the client id and client secret but when I try to get Access Token I am getting this error:
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
I am using POSTMAN to get the access token. After getting the Access Token I intend to work with LinkedIn REST APIs with other software that could consume REST. I am not sure why I am getting this error, I wonder is it not possible to get the token from POSTMAN and have to use Python script?
Also, redirect_uri in step 2 is not a functional callback uri, it's an imaginary URL. Do I need a valid callback URL?
Since you are getting this error
{
"error": "invalid_request",
"error_description": "A required parameter \"client_id\" is missing"
}
This is giving a hint that you might need to change the Client Authentication drop-down value to Send client credential in body instead of Send as Basic auth header
This is because when client_id and client_secret are sent in the header, they are combined and converted to base64
Authorization: Basic base64($client_id + ':' $client_secret)
So, no separate client_id is ever sent. But if you choose to send the credentials in body then they are sent separately.
For more info, you can refer the offical RFC here https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1
I solved this issue by adding keys/values in the Params.

Problems getting started--Http 403

I'm trying to access the SmartSheets REST API as described in the "Getting Started" documentation here: https://smartsheet-platform.github.io/api-docs/#getting-started and elsewhere. I generated an access token in the UI and, using Postman, tried a couple of simple GET requests cribbed from the documentation:
https://api.smartsheet.com/2.0/users/me
https://api.smartsheet.com/2.0/sheets
I set the Authorization and Content-Type headers as indicated. In both cases, I get Http 403-Forbidden errors with the message "You are not authorized to perform this action."
So how do I get authorized to perform these (or any other) actions?
You might want to verify that your access token value is correct. Also, when you set your Authorization header, are you including "Bearer " before your access token?
In Postman, it should look something like this:
Just a typo. I was including "Bearer" in the authorization header, but I had 2 spaces between "Bearer"and the token. You can only have one.

No auth function available for given request

I'm a newbie to access with DropBox's Api (See: https://www.dropbox.com/developers-v1/core/docs#oauth2-methods). Now there's a problem rocking me——
1) I get an access_token successfully.
2) I wanna see the user's detailled info by directly calling "https://api.dropboxapi.com/1/account/info". However the result is:
{"error_description": "No auth function available for given request", "error": "invalid_request"}
It seems that I should give the address something to make sure that I'm already authenticated. But how? I didn't see anything in Documents……? Any where?
Thanks
The API uses OAuth 2, so you'll want to attach an "Authorization" header with the value "Bearer ACCESSTOKEN", where ACCESSTOKEN is the access token you obtained through the OAuth process.

silhouette rest seed : how to use a social provider?

https://github.com/merle-/silhouette-rest-seed
I am trying to use this as I don't want to use the scala.html template files, and this seemed to do exactly what I wanted. I can CURL to create a user and get a token, but I don't know what to do with the redirects when trying to authenticate with a social provider, such as Facebook. There don't seem to be any instructions, either. Any help would be appreciated.
The readme gets you to the point where you have signed up a user and with the credentials POST retrieved the X-Auth-Token.
After a little debugging you will submit a POST request to the auth/link route to associate the user with the returned X-Auth-Token with a social provider as in:
http :9000/auth/link/facebook 'accessToken=xxxxx' X-Auth-Token:tokenfromearlier
Note the syntax of httpie is specific and must use = for json and : for headers. You obtain accessToken from here: https://developers.facebook.com/tools/access_token/
This will return the following JSON:
{
"message": "link with social completed!",
"status": "ok"
}
Not yet sure how to accomplish the next step which is to invoke the
/auth/signin/facebook POST route as this requires the ID of the provider and I am still figuring out the fb graph access approach.