Friends, any help is appreciated! I am using authorization code flow and using Apigee to generate access tokens. So, say when the same client ID(Mobile App) has 100 users who are authenticating via apigee and apigee authorizes the same client ID, but after authenticating the user's username/pwd with an IDP(say okta), does it maintain just 1 access token per the same client ID or does it create 100 access tokens, 1 access token per each user authenticated. I am confused as just authorization of client ID only takes place on apigee, how apigee can maintain the access tokens for each user? Can you please clarify for me? Thanks in advance, Bujji.
Related
I'm researching to use OIDC for SSO (Single Sign On).
I know OIDC flow always return id_token and access_token but I don't know why we need id_token?
As I know id_token used only by client application to get authenticated user information. Client application will decode and verify JWT then extract user information from it.
But because I have access_token, I can use it to get user information from endpoint /userinfo. So I dont't need id_token?
Please help me understand the right way to use id_token.
You are correct that you can get the user details using the access token from the /userinfo endpoint.
The ID-token represents details about the user and more important how the user authenticated (password, 2FA...). The lifetime of the Id-token is often very short (like a few minutes).
Just like how the specification describes it:
The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims.
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
Is it possible to obtain an OAuth2 id_token for an Azure AD Service Principal?
I can go through the client_credentials flow against the /token endpoint, but that only yields an access_token. Is there a way for me to get an id_token as well, like I do for an interactive user?
No. You need to go through a flow which involves a service principal and a user.
Client credentials flow only involves the service principal, so the access token only contains its info. Id tokens are only given when there is a user context.
So, for an Id token, you need to use one of these flows:
Authorization Code
Implicit
Device code
On-Behalf-Of (API calling another API)
Resource Owner Password (though I don't recommend this one)
Ultimately, why do you need an Id token? The access token already contains who the calling app is. It should contain an appid claim, which is the client Id for the app.
Our Mobile Client App uses https://identityserver:port/oauth2/token service from Identity Server by passing the ClientID and ClientSecret with grant_type as “client_credentials” to generate the access token. The generated access token is used to invoke the API from ESB.
As per the implementation the ClientID and ClientSecret will be stored in the device.
For an example, ClientX requested for an Oauth Token which will have a certain expiry time. Can this token make as a unique for ClientX?
Currently all the upcoming client calls will get the same access token as its already generated from the request of ClientX. If a client is requesting a token very late it will get the same token with almost expiry time.
Is there a way to make this token unique for the Client?
In your case, if you use “client_credentials” as a grant type, resource owner is also the client.
Since this is a mobile application, once your mobile app gets the token it will be used until the expiry date and there will not be a necessity of changing it, because of mobile is belongs to a single user. Therefore the token would be same for same scope till it is expired.
Ex: BBC news mobile application.
If you need different access tokens, you need to use different scopes.
You will need different access token in case if different clients accessing the same API. In that case you may use “PASSWORD” grant type for a unique access token.
Ex: Purchasing a product using ebay.
So you should define your scope properly to identify the use of access token.
Find the following blog that will help you to guide to select your scope. [1]
[1] http://wso2.com/library/articles/2014/02/securing-your-web-service-with-oauth2-using-wso2-identity-server-1/
I will assume that mobile application instance is bound per user.
If you want to get different access tokens for every user bound to a session don't use client_credential grant type.
For example you have client-x and client-y both using client_credentials grant. Identity Server (Authorization Server) will give an access token for client-x and client-y since this is about authorizing client-x and client-y to access resource and not about authorizing a user. This means whatever user you have in client-x or client-y requesting access_token, they can get one (assuming they are authenticated).Vice versa, a user, even if authenticated both client and identity server cannot get an access token if the request comes from client-z (client-z is not registered in identity server)
If your Oauth 2.0 client is browser-based you can use implicit grant, if it is a server you can use either authorization grant or resource owner password credential.
I am using client credentials flow using Spring OAuth2. The DefaultAuthenticationKeyGenerator stores the access_token in memory for me. However if I run multiple client instances from different hosts and make the /oauth/token client_credentials grant request, I get the SAME access token. So all client instances with the same (client id and client secret) get the same access token. So I must be misunderstanding something fundamentally. Is there a way to have each instance of my client receive its own unique client credentials flow access token with it's own expiration period ? The reason I want this is so I can authenticate the client itself before a user account has been created. After the user account is created I can use the user resource password grant flow to get a user specific access_token.