I'd like to invoke some code that requires the request object and the user when a token is revoked. It appears that Doorkeeper does not have the configuration to hook into the token revocation process. Perhaps, there's a better way to achieve this.
Thank You!
I ended up figuring this out. The code below will remove all the tokens for a particular resource owner.
Doorkeeper::AccessToken.where(resource_owner_id: "some-id").delete_all
Related
Ok, user authenticates and client gets the JWT from my IS4 instance. All that works. Now, for reasons I still cry at nights after being tormented by people who authoritatively claim to know OAuth but do not, the client is sending me the identity token JWT over the wire to an action, and I need to do some work based on the subject in it. I want to minimize the fallout of this decision and prevent a situation where someone plants me a fake token, so I want to validate the JWT to make sure it came from me, that indeed I am the one who issued it. To simplify, I need to act as both the client and the server in the token validation process, while running on the IS4.
Since this is such a violation of OAuth protocol, I am not sure this is supported out of the box, but here comes: is there a way to do this? I even tried to introspect the token, but that requires an authentication context, and I can't seem to get the client credential flow working since I only use openid/profile scopes and they are not supported by the client credential flow (since the user is defined only in JWT).
The receiver of a token should always validate the signature of the token to make sure it came from your IdentityServer. This is usually automatically done by most proper JWT-libraries. The library will download the public-key from your IdentityServer and use it to verify the signature of the token.
If you are using ASP.NET, then the JwtBearer library will do that for you.
I am new to using doorkeeper gem.I am using this gem to provide authentication to my rails app for API's. For every request we need access token to process that request. Is there any method or feature by which I can block that particular access token and prevent all the request from that token.
Please suggest and thanks in advance. :)
I think that a good approach would be to keep a blacklist with the access tokens that you want to ban, then you have to create a controller action that acts as a middleware before reaching doorkeeper and respond 401 errors in case it is a banned access token
I am working with Cloudfoundry UAA
I am not sure if it is possible in standard oauth2.
The situation is ->
User logs into the app
He receives an access_token and refresh_token
He can keep on acquiring new access_tokens which has original scopes
His access permission changes so new scopes are added for him
Now I need a new access token, without him to log in again.
Is it possible that I can use the same refresh_token and ask for access_token with modified scopes?
Thanks in advance!
In a word no. This would be a violation of the user's Trust.
And in case you have not heard, that is a bad thing.
There is an Internet Draft RFC OAuth 2.0 Incremental Authorization (put forth by Google)
There is some talk about it here.
We are implementing IdentityServer4 with MS.Identity for SSO, Authentication & Authorization using the Implicit Flow for our handful of SPAs and WebAPIs(we own all).
With Implicit Flow the Id_Token is where we place extra 'claims.' Spec here.
The access_token does not contain custom permission claims as per this.
The Implicit Flow Spec is here.
Question: What is the flow of granting and removing permissions?
How does the client know Permissions/Claims have changed without polling the User Info Endpoint?
How does the resource server know?
Revocation of Id_token is not spec. It seems the utility of claims in tokens knowing the permissions no longer applies with my understanding of OpenID Conenct.
Am I missing an obvious built in spec'd solution or do we implement some kind of re-issuance of Id_Token when when permissions have changed?
Thanks..
Tokens don't contain permissions. They contain identity data about the client & user.
https://leastprivilege.com/2016/12/16/identity-vs-permissions/
In light of Dominick's Answer.
I am going implement a Permission/Authorization Server and end point.
SPA and WebAPI clients can call it for permissions with Authentication. Now we can return any custom Permission Object we need.
In the access_token we will add a custom 'Permission ETAG' such that if a User's permissions change, each client knows to fetch the new permissions.
Constructive criticism welcome..
Is there any way to determine if an oauth token has been revoked besides actually making a function call? I am working with an Oauth provider that has a single function call that is time consuming and costs money. On my website, I'd like to be able to determine if my access token is valid withing making that call.
Thanks
Regrettably the OAuth specification does not provide a standard mechanism.
It would perhaps be appropriate for the OAuth provider to give an additional method to indicate that the token is valid.
You will notice that the token is not valid anymore when you try to use it to access some protected resource.
Without making a separate call, the server would have to push token revocation notification to you which it probably doesn't do.
Other than that, the server should provide you an expires_in token validity in seconds when issuing the token, so you should be able to at least tell yourself when the token is about to expire.