I am using the OAuth2 hybrid flow to authenticate my application. The initial authentication goes perfectly for 100%.
When I request CodeIdTokenToken I am only getting the code, IdToken and Token (as I requested). But I also want the initial RefreshToken for later use.
What am I missing?
The client uses OWIN for MVC 5.2 and the server is a .NET CORE Identity Server 4 application.
As you can see. Everything is there at the end, except for the refresh token.
You need to enable refresh token support in the Client definition inside IdentityServer.
new Client()
{
AllowOfflineAccess = true,
...
Related
I am upgrading an older OAuth 1.0 TBA setup to OAuth 2.0 without the TBA.
I have on the Sandbox the Client Credentials Flow working. This setup will not work on the production, since the web users are not logged in on NetSuite or NetSuite clients. The refresh token currently expires every seven days, I canβt create a backend script that somehow opens a Session on NetSuite (with my credentials logging into NetSuite), redirects the URL, and gets a code parameter value so I can finally generate a new refresh token. That seems extreme and not secure.
Is there something I am missing on the whole token refresh?
That brings me to another question. NetSuite is a bit confusing to me. If I want to try out the OAuth 2.0 Client Credentials Flow, can I just create a new Integration application? Set up a new code base structure without crashing the one that I currently have working.
I'm having an Angular application that performs user authentication via Microsoft account. For this, I'm using the MSAL JS library which does work fine to authenticate the user. But we have the requirement where our backend server requires to call Microsoft Graph APIs. Now the issue is that the MSAL library returns access_token which has got a life span of 1 hour and so it can not be used once it is expired from our backend server.
So I'm looking for a way where I can get an authorization code, which can be exchanged from our back end server to get the access token and refresh token. And as we've got the refresh token as well, we can refresh the access token whenever it gets expired considering a refresh token is still valid.
I'm not sure if this is possible via the MSAL library or not, or if there is any other alternative available for SPA to support the case, I've described above.
It is possible with MSAL.js 2.0 which is a drop-in replacement for MSAL.js 1.x and supports the authorization code flow for Single page applications. With MSAL.js 2.0 you can use the authorization flow with PKCE and refresh tokens in the Microsoft identity platform to keep users signed in while third-party cookies are blocked.
Read more here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
I have a desktop client application that uses Azure AD to authenticate users.
I wish to use the same authentication already provided by the user in the client application and pass the token to a new Blazor project. So if i pass the refresh_token as a queryparameter to my new web application can i use it to genreate new access tokens for that user without the need for them to re authenticate?
No, you cannot use a refresh token on a SPA application and Blazor is a SPA. Because there isn't secured way to store the refresh token on a browser.
However, you can renew the access token. Actually the access token is automatically renewed using the same mechanism oidc.js use (by using an iframe).
You must configure your client with the authorization code flow with PKCE (or implicit flow, but it's deprecated)
I have an ASP.net MVC web application that uses Microsoft's Owin middleware (Microsoft.Owin.Security.OpenIdConnect) to configure OpenID Connect authentication. My identity provider (Okta) is configured to support refresh tokens and I have confirmed that it is working. When signing in, my application receives an Access, ID and Refresh Token as expected. These tokens are validated and returned to the client in a cookie called ".AspNet.Cookies" (the default). On each request, the cookie and these tokens are parsed into a set of claims. Great so far. π
The Owin (Katana) middleware does not appear to do anything further with the Refresh Token, so I have implemented a token client to request a new Access Token from my IdP using the Refresh Token. This is working as expected. π
Two questions:
When and where should the application check to see if the Access Token is expired and request a new one?
After receiving new a access, id, and refresh token, how and where should the application update the user identity, claims and cookie?
OWIN COOKIE UPDATES
I believe the comment at the end of this post has the type of code you can write - I remember using similar code a few years back.
With OWIN you are using a server side stack secured by cookies so I'm not sure where access tokens are actually used, but maybe one of these is true?
The C# back end uses tokens to call an API
The Web UI downloads tokens from the web back end and makes Ajax calls to an API
PATTERN FOR HANDLING EXPIRED TOKENS
The only reliable pattern to handle expiry is to do this in the API client code:
When you get a 401 response from the API
Try to refresh the token and retry the API call with a new access token
If you can't refresh the token, redirect the user to sign in again
I always implement this with 2 classes, as in this SPA code of mine:
ApiClient - handles API calls
Authenticator - handles OAuth calls
If the Web UI is getting tokens from the web back end and then calling an API, your web back end could provide MVC operations similar to those in my authenticator class:
getAccessToken - get the current access token, though it may fail with a 401
refreshAccessToken - use this if a 401 is received and you need a new token
TOKEN EXPIRY TIMES
It is also possible to check token expiry times in the background - to reduce the number of client 401s. This is not a full solution however, since 401s can occur for other reasons in addition to expiry.
I am building an Angular SPA app and using Okta as an Idp. since its an SPA so I think I need to use Implicit flow. I have two queries here-
Since in Implicit flow a refresh token is not issued, does it means that th user will be logged out of the app after the token expires and he has to log in again?
Why do I need to use Implicit flow in case of SPA? why not Authorization code flow? since I have control over both the front end (SPA) and back end (REST API) . for example in case of Spring MVC architecture for the web app Authorization code flow is possible.
Thanks,
pchh
Yes, if the token expired, you have to re-autenticate. Normally you still have a valid session on the identity providers site, so you can do a "silent" login using an iframe. Libraries like oidc-client support a silent login, which can do this for you.
You need to use implicit (or hybrid) flow, when you need to access to the access token from your javascript app. With authorization code flow your javascript app doesn't get the access token, so if your API needs an access token for authorization, what are you going to send?
If your auth server supports OpenID Connect (OAuth2 extension) and single sign-on (SSO) feature, to get a new token before the old gets expired, use an iframe with a URL you used for authentication, but add prompt=none parameter (and possibly id_token_hint parameter). See OpenId Connect RFC. The prompt=none parameter tells the /auth endpoint to issue a new token(s) if the user has an open SSO session at your OAuth2 server. If not, the request will fail. There is a separate RFC for session management.
The Authorization code flow requires you to access the /token endpoint, which usually requires authentication (client ID + client secret) and you cannot keep the secret safe in a browser. For this reason, the token endpoint doesn't use to support CORS headers, so you cannot access it using XHR. Using the Auth code flow, you get a code as a redirect URL param (?code=), which gets to the server hosting your SPA (browser sends it there after redirect). The implicit flow returns tokens in hash part of the redirect URL (#access_token=), which stays in a browser (it's not sent to the server), so it's safer.