How prompt parameter is related to Grant Management? OAuth2 & OpenID Connect - oauth-2.0

There exists specification for OAuth2 extension called Grant Management. It's available here:
Grant Management for OAuth2 spec
Please look at 5.2 section of this document: Section 5.2 of Grant Management spec
We can use 3 values for grant management action in authorization request:
create
update (or merge)
replace
And I don't know how it's related to prompt parameter defined in OIDC spec.
E.g. when they say in spec that create action will create a fresh grant, then it means that authorization server have to create new grant if grant must be obtained (e.g. prompt="consent"), or it means that authorization server have to display consent screen and basing on this create a fresh user consent?
And what when prompt=none? Shall we ignore the grant_management_action or rather return an error when action is update or replace? After all, we can't obtain user consent when prompt=none.
Does Grant Management spec replace prompt parameter?

Related

Doorkeeper OAuth application table is necessary for authorization?

I'm trying to add the Doorkeeper plus devise with google and facebook user authorization on API!
I followed this post https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization
And this:
https://naturaily.com/blog/api-authentication-devise-doorkeeper-setup
To start with, both remove the oauth_applications table.
I've done as the tutorials but I'm getting this response:
response_code: "doorkeeper.errors.messages.unsupported_grant_type",…}
response_code: "doorkeeper.errors.messages.unsupported_grant_type"
response_message: "The authorization grant type is not supported by the authorization server."
state: nul
So I would like to know if is necessary the oauth_applications table and set the clients to authorize.
Articles you've mentioned uses Resource Owner Password Flow, i.e they are authenticating the user via credentials to give an access to a resources with an access token. See the configuration option:
grant_flows %w[password]
In such case yeah, you don't need applications (clients which will interact with the API). But if you want to show an authorization window for your customers you should use Authorization Code Flow (from your response I see you're trying to invoke exactly this flow).

Authentication and Authorization using OAuth2/OpenID Connect

I understand the OAuth 2.0 spec. allows third-party applications to grant limited access to the application, either on behalf of a resource owner or by allowing the third-party application to obtain access on its own behalf.
I have a scenario, where I have an application and I need the user to get authenticated with some IAM provider. The roles and privileges are configured in the authorization server for each user. I can query the introspection point of the authorization server and based on the scope details, my application can decide the access to any resource for the user.
In this case, the user is not the resource owner. The types of resources the user can access is decided by my application, instead of the user allowing/denying the application to access resources.
Since the user is not the resource owner, can OAuth/OpenId Connect be used in this scenario ? Is it possible with WSO2 IAM?
I tried the playground sample which is available in WSO2. Once the user logs in, there is a window which asks "playground requests access to your profile information" and requesting the user to allow/deny. Can this be avoided, since in my case the user is not allowed to make any decisions ?
If not, what are the other options to authorize/limit access to resources which is decided by the authorization server/resource server, instead of user granting access ?
Thanks,
Albie Morken
In this case, the user is not the resource owner. The types of resources the user can access is decided by my application, instead of the user allowing/denying the application to access resources.
In your scenario, you are relying on tokens issued by authorisation server to access a protected resource. The protected resource is your application. And this application must have internal mechanisms to verify the tokens it receives to grant access.
Short answer to your question is - YES
You can use openID connect for this scenario. And you have two options to adopt,
1. Use access tokens with introspection end point
You can use access tokens to grant access to your application. The client should send the access token as a bearer token as described in RFC6750. When the application end point receives a request, this access token can be validated against introspection endpoint RFC7662
2. Use ID token
ID tokens too can be used as bearer tokens.ID token is a JWT (RFC7519) and is self contained. It contains validation mechanisms as described by OpenID connect spec which are self sufficient to allow grant. And also to you can check claims it contains to authorise the end user. More can be found from this link.
I tried the playground sample which is available in WSO2. Once the user logs in, there is a window which asks "playground requests access to your profile information" and requesting the user to allow/deny. Can this be avoided, since in my case the user is not allowed to make any decisions ?
Consent page can be disabled. According to spec. it can be done by configuring identity.xml as follow,
<SkipUserConsent>true</SkipUserConsent>
It is described in their documentation too.
Hope this helped.
p.s - WSO2IS contains inbuilt XACML engine. XACML is the standard for access control. You can fine more information from this link.

IdentityServer4 using Client Credentials Grant Type

We are setting up an Identity Server 4 instance and one of the GrantTypes we wish to use is the Client Credentials Grant Type.
Is there a way we can link Client Credentials up to a use an AspNetIdentity user so we can get the claims and users details back for the client credentials provided?
Thanks in Advance
The Client Credentials grant type does not represent a user, it represents an application, so you would not use AspNetIdentity with the client credentials grant type.
If you want to include user specific claims you need to look at one of the grant types which involves user authentication. Examples are available in the quickstarts here. I would advise looking first at the Resource Owner flow and then the OpenID Connect based flows.
The quickstarts also include an example of integration with ASP.Net Identity, that can be seen here

PingFederate OAuth 2.0 custom grant to get access / refresh token?

We are setting up a OAuth 2.0 via PingFederate in our organization. The scenario in question is as follows - We have a website in which the customer would be logging in using user name and password. There are are also links within the site to redirect the customer to a partner site. The partner site would be securely passed some basic information via SSO payload.
The partner site would also need to be able to call back to our Apis (call made in the background) to get additional information about our customer which they will then use to display on their site.
Our Api’s are currently setup to be accessed via access token which the consumers of the Api get by following the Authorization Grant flow.
In the partner redirect scenario we want partner site not go through the Authorization code flow when it makes the Api call because the customer would have already logged into our site to start with using their credentials but instead when we redirect to the partner site provide it securely (SSO payload) the access and refresh token which it can then use to make the Api calls ?.
Is there a grant type that I can invoke telling my authorization provider (PingFederate) that I trust the customer based on the information that he has already provided now give me access token and refresh token and then redirect using that information (None of the grant types that I am aware is able to support it - does Ping OAuth setup support a flow wherein I can say I trust this customer give me access and refresh token )?
It sounds like you'd be combining SAML and OAuth to meet your business need. While it's not defined as a standard grant type, one potential solution is to include an Access Token in the SAML Assertion attribute payload so the partner application can then make calls without going through additional redirects. PingFederate does offer the ability to do this by using OGNL to create an access token in the attribute contract fulfillment. An example of how to do this is in our SDK documentation: https://www.pingidentity.com/content/dam/developer/documentation/pingfederate/server-sdk/9.3/index.html?com/pingidentity/sdk/oauth20/AccessTokenIssuer.html
If you need more guidance on selecting the right OAuth grant type, we have information on our developer portal that covers this. Please refer to: https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html#get_token

oAuth2 Mobile App Grant

I'm building a native Mobile App that connects to a REST API.
I'm looking at this demo oAuth App to use as a guide for my Authentication/Authorisation layer.
When the user comes to the App for the first time I want to provide them with a username and password box.
After they hit submit I want to the App to be supplied with an access token, and a list of permissions (scopes?) that the user is permitted to perform.
I've read lots about the oAuth2 specification but am confused as to which flow to use.
I can't use the Resource Owner Password Credentials Grant because I can't trust the Native App with the Client Secret.
I don't want to use the Implicit Grant, as I don't want to present the user with a "Do you authorise this App?" web window.
I've looked into the JWT Bearer flow, and think it might be what I need as it doesn't require the Client ID/Secret. However I can't find any examples where this flow returns permissions (scopes?) that the user can perform.
Edit #1:
I am confused as to the use of Scope. The specification says-
The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted.
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
From that can my Client request a list of ALL Scopes, and then the Authorization Server give a Response with the ones the User actually has?
Thanks for your help, Tom.
You list two assumptions about OAuth 2.0 flows that are not true:
the Resource Owner Password Credentials Grant can be used with a public client i.e. a native app that doesn't have a client secret
usage of the Implicit Grant does does not imply that it requires explicit consent; that is to the discretion of the Authorization Server implementation; in an enterprise setting or a setting where the same party controls the client and the Authorization Server, that may be omitted
But since the Implicit grant comes with security considerations, for native apps it is typically better to use the Authorization Code grant.
Scopes are a way for the Client to request certain permissions. The Resource Owner can grant the Client permissions that relate to these scopes (explicitly or implicitly). Since the Client will change its behaviour based on what permissions it gets, it is assumed that there's some shared understanding between Client, Resource Server and Authorization Server about what Scopes related to. There's no predefined semantics in the OAuth 2.0 specification, it is up to the implementation.

Resources