I am using a custom grant on IdentityServer3 to allow for Windows Authentication to flow through from WinForm and WPF apps. I based my code on WindowsAuthentication plug in for IdSrv .
What I'm trying to figure out is how can I get the custom grant flow to return the id token. I'm already getting the access token and the refresh token.
I'm looking to the id token, so I can log the user out, once they are done using the applications.
Thanks
-marc
Token endpoint will only give you id_token when exchanging the authorization code obtained by using AuthorizationCode flow client throuh OpenID Connect Authorize endpoint. More info in the spec here http://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
Related
I'm trying to build JWT Grant flow in authentication using Docusign APIs.
I usually get "invalid_grant" or "invalid_request" errors.
The redirect uri is returned with a code parameter and a jwt token.
What I understood, is I need to create a JWT at my server to further utilise that for authentication, and the structure of this JWT does not utilise that code parameter either.
I need to use the User:lists API to get the GUUID of the user who just gave my server consent using the email address.
And then use that GUUID for creating our JWT, which will now work?
But in all this we are not using the JWT returned in the code parameter.
Why it is there it is confusing?
When using the JWT grant auth method, you will be ignoring the code that is returned in your callback URL after user grants the permissions.
I understand that may be confusing but think of that step as "User granting permission to required scopes". If you were using the auth code grant flow, you'd be using the code returned to your callback URL to complete the auth and get the access token.
However, in the case of JWT grant you will ignore that code and you will create a signed payload to get a token as described here: https://developers.docusign.com/platform/auth/jwt/
I'm using Cognito's federated sign in with Sign In With Apple. I have an API Gateway route using a JWT Authorizer through appleid.apple.com From the iOS app, if I pass the identity token to this API Gateway route and it appears to work.
After 10 mins, the Apple identity token expires as expected. Do I have to manually verify a user and fetch a refresh token or does Cognito offer an endpoint to do this for me and return a refresh token?
There is not an ALLOW_REFRESH_TOKEN_AUTH option available.
Cognito offers a refresh token endpoint. When you set up the app client for your userpool in Auth Flows Configuration, the option "ALLOW_REFRESH_TOKEN_AUTH" is already selected by default, then click "save app client changes"
AWS Support said "If you are using Authorization Code grant then refresh token will be generated once the flow is completed. The Authorization code grant flow initiates a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the TOKEN Endpoint. Because the tokens are never exposed directly to an end user, they are less likely to become compromised." and referenced me here:
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
I need to be able to do the operations that keycloak do when using identity provider: login/logout/create account/link account, via api, not via html.
I am unable to find in your documentation how can i do these actions, all the documentation is based on html and a series of redirect, by using keycloak and its theme.
This is not compatible with a single page application, or ios/android native application.
Examples:
Get token and refresh token by using Identity Provider brokering (google/facebook), for existing/already linked accounts, when i already have the google/facebook token.
Required steps:
I get the google or facebook token, outside of keycloak.
I need to post this token into identity provider broker.
I need to receive from this response, the authorization and refresh tokens, just like i do a login with user/pass by using route ".../protocol/openid-connect/token"
Create a new account with the user received from Identity Provider, when i already have the google/facebook token.
Required steps:
I get the google or facebook token, outside of keycloak.
I need to post this token into identity provider broker.
I receive that there is no such user, and if i want to create the user.
I post that i want to create the new account.
I need to receive from this response, the authorization and refresh tokens, just like i do a login with user/pass by using route ".../protocol/openid-connect/token"
Link an existing account, with the google/facebook account received by Identity Provider.
Required steps:
I get the google or facebook token, outside of keycloak.
I need to post this token into identity provider broker.
I receive the information that the same account exist, and if i want to link the account.
I post that i want to link the account.
I need to receive from this response, the authorization and refresh tokens, just like i do a login with user/pass by using route ".../protocol/openid-connect/token"
I tried to do hacks and ajax calls, instead of html request, but in the end it does not resolve my problem, because i don't know what happened: it logged in? it created an account? it requires to link account?
I want to create an app that will authenticate with my server using oauth.
My question is how will this work?
My client side will communicate using HTTPS with Facebook and get an Access Token. Then it should send it to my server side to authenticate? My server should save the token in the db? How it can validate the token?
how will this work. ?
When the client needs authorization to access some information about the user, the browser (user agent) redirects the resource owner to the OAuth authorization server. There, the user is faced with an authentication dialog (this dialog is not shown if the user is already authenticated), after which he or she is presented an authorization dialog explaining the permissions that the client is requesting, the information that it needs to access or the actions that it needs to do on his or her behalf.
Access Token should send it to my server side to authenticate? or server should save the token in the db?
From what you describe I'd suggest to use a server-side login flow.
-so that the token is already on your server, and doesn't need to be passed from the client. If you're using non-encrypted connections, this could be a security risk.
(after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.)
-See
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.2#login
How to validate token ?
you can follow this link , you will get your step by step solution for an app.
Facebook access token server-side validation for iPhone app
I am developing a rather simple application that retrieves files from SharePoint using the REST Office 365 API. This is a batch job running in the background with no user interface so the following simple 2-step flow is what I'm doing:
(1) Requesting an Access Token from Azure AD (supplying client ID, client secret, resource, and grant_type=client_credentials)
(2) Invoke the SharePoint API (https://{base url}/_api/v1.0/Files) using the "Authorization: Bearer " as a request header .
That process seems pretty straightforward and sounds simple but I keep getting the following error:
401 Unauthorized
x-ms-diagnostics: 3001000;reason="There has been an error authenticating the request.";category="invalid_client"
Any idea what the problem is and how this can be resolved ? I have been stuck on this for days now. I would REALLY appreciate somebody's help with this. Thanks.
SharePoint Online doesn't yet support clients accessing it using app-only tokens (resulting from client credential OAuth2 flow). It only supports delegated token aka user+app tokens (resulting from authorization code OAuth2 flow).
So, if you wish to write a client application (web app or native client app) that accesses SharePoint online - it can only be on behalf of a user, and it must involve interactive authentication of the user - after the user authenticates - they will be shown a consent page where they need to consent to your application accessing the O365 API on their behalf.
Only Mail/Calendar/Contacts APIs (Exchange Online) support clients accessing them using app-only tokens - and they have turned on this support very recently. Read about client credential flow tokens with Exchange Online APIs here: http://blogs.technet.com/b/ad/archive/2015/02/04/using-azure-ad-to-build-daemon-applications-that-call-office-365-apis.aspx, http://blogs.msdn.com/b/exchangedev/archive/2015/01/22/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx
Hope this helps.
ps: OAuth2 client credential flow doesn't issue a refresh token
You will need an access token for the specific resource you are trying to access - in this case your sharepoint site for the Office365 REST Apis.
A good read on this can be found here: https://msdn.microsoft.com/en-us/library/azure/dn645538.aspx
Assuming your {base_url} is a sharepoint site, i.e., 'https://[site_name]-my.sharepoint.com
You can either:
(1) Initially get the access and refresh tokens using your client credentials plus a resource = {base url}
or
(2) Once you have the access and refresh token from the Azure AD resource, make a refresh_token call using:
client_id
client_secret
grant_type = 'refresh_token'
resource = {base_url}
refresh_token = [refresh token received from Azure AD
generate token response]
In this case you'll have 2 access tokens:
one that can be used for Azure AD requests
one that can be used for Office365 REST Api requests.
We could not/have not found a way to have a single access token be 'valid' for more than 1 resource.
Hope this helps!