Does IdentityServer4 feature resource isolation?
here's a plain explanation, taken from this article
Let’s assume you have the following resource design and that the client is allowed access to all scopes:
var resources = new[]
{
new ApiResource("urn:invoices")
{
Scopes = { "read", "write" }
},
new ApiResource("urn:products")
{
Scopes = { "read", "write" }
}
};
If the client would request a token for the read scope, the resulting access token would contain the audience of both the invoice and the products API and thus be accepted at both endpoints. Even if you ask for one resource, the returned token will include both
{
"aud": ["urn:invoice", "urn:products"],
"scope": "read",
"client_id": "client"
}
If the client in addition passes the resource parameter specifying the name of the resource where it wants to use the access token, the token engine can down-scope the resulting access token to the single resource, e.g.:
POST /token
grant_type=client_credentials&
client_id=client&
client_secret=...&
scope=read&
resource=urn:invoices
Thus resulting in an access token like this (some details omitted):
{
"aud": [ "urn:invoice" ],
"scope": "read",
"client_id": "client"
}
note urn:products is not part of the aud, because resource isolation was applied.
How can I achieve this isolation using IdentityServer4?
Related
I am using Oauth2+JWT+Spring security in one of my project. When i hit /outh/token using username/password i am receiving access token in the response with other details like
{
"access_token": <token>,
"token_type": <type>,
"refresh_token": <refresh-token>,
"expires_in":<secs>,
"scope": <scope>,
"jti": <value>
}
Is it possible to customize this response like
{
data: {
"access_token": <token>,
"token_type": <type>,
"refresh_token": <refresh-token>,
"expires_in":<secs>,
"scope": <scope>,
"jti": <value>
},
details:{
//extra information
}
}
I'm confused, don't know how to ask more clearly: "what is the additional data you want to send?". Just give an explicit sample.
I'll answer guessing that this data is related to the authorized entity (the user when answering within authorization-code flow and the client within client-credentials flow): non standard data should be set as private-claims, inside the JWT itself and on token introspection endpoint.
How to add such private claims depends on your authorization-server. For spring-security one, this is done with an OAuth2TokenCustomizer. For Keycloak, you have to provide a "mapper", etc.
The client which received a payload like the one you show, will only send the access-token when issuing requests to resource-server(s). It is important that this token holds all of the data needed for resources access decisions. Some claims are specified by OAuth2, OpenID defines some more standard claims, and you are free to put whatever additional data in private claims (within the limits of the maximum token size).
Also, if your client needs to read claims, it should use ID token, not access-token (request openid scope when initiating OAuth2 flow). Access-token should be interpreted by resource-server only.
I am using Keycloak as Authorization Server and setting up SPA (Public Client) that will be connecting to a REST service (Bearer-Only client / Resource Server).
As far as I understand, scopes are group of claims and claims are information about the subject (authenticated user). Scopes are passed at authentication step to the authorization server so that it will prompt the user to permit/deny access to those claims (user data / actions). In the case of third party client trying to access data from for example Facebook, scopes are permissions given by the user to the client to access user's data from Facebook. In case of Slack scope are used to allow / deny certain permissions for the third party client to perform operations on behalf of the user.
In my case where the resource server does not hold any user information but OAuth is used for authentication / authorization and will use the access token to get users group membership and possibly role to allow/deny access to the data on the resource server.
Correct me if I am wrong but scopes are used more for the user to allow third party client to access his/her information from OIDC provider, possibly get user information from the ID Token. On the other hand Roles / Groups that is set in the access token would be used to authorize the user to get data from the the resource server
For example here is the
Access Token:
{
"exp": 1612294865,
"iat": 1612294565,
"auth_time": 1612294524,
"jti": "e6c12a30-1b54-410a-81ba-ffe947dcebc9",
"iss": "http://localhost:8080/auth/realms/demo",
"aud": "rest-service",
"sub": "e49f2e27-4b47-492e-a714-2497d4f669f8",
"typ": "Bearer",
"azp": "js-console",
"nonce": "58faa6b8-a628-4b5a-8f0a-b33643812ef2",
"session_state": "2470b7b4-1587-43d5-8747-911b01398c3d",
"acr": "0",
"allowed-origins": [
"http://localhost:8000"
],
"resource_access": {
"rest-service": {
"roles": [
"user"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "test",
"group": [
"/my-group"
]
}
ID Token
{
"exp": 1612294865,
"iat": 1612294565,
"auth_time": 1612294524,
"jti": "c3242eb4-9047-4913-9ac6-be3b4e2b5745",
"iss": "http://localhost:8080/auth/realms/demo",
"aud": "js-console",
"sub": "e49f2e27-4b47-492e-a714-2497d4f669f8",
"typ": "ID",
"azp": "js-console",
"nonce": "58faa6b8-a628-4b5a-8f0a-b33643812ef2",
"session_state": "2470b7b4-1587-43d5-8747-911b01398c3d",
"at_hash": "5hOJUzWD9H2DOuYCEnc6fQ",
"acr": "0",
"email_verified": false,
"preferred_username": "test"
}
The audience(aud) for the ID token is set to the Client (js-console) and returns just some user information and really only needs openid scope. The access token aud is set to the rest service that will consume the access token and retrieve the roles and group information.
This is a different usage of OAuth which in this case the user doesn't need to consent to anything but will authenticate and use the access token to get information based on the group membership.
Is my understanding is correct?
Thanks!
I have done OAuth2.0 using PKCE flow in .NET Framework (C# Winforms).
Now I have tokens_response in my hand.
But I'm wondering is it possible to fetch all of the organisation (not only one)?
You can check the organisations (tenants) that you can access with a given token using the /connections endpoint, like this:
GET https://api.xero.com/connections
Authorization: "Bearer " + access_token
Content-Type: application/json
Response:
[
{
"id": "e1eede29-f875-4a5d-8470-17f6a29a88b1",
"authEventId": "d99ecdfe-391d-43d2-b834-17636ba90e8d",
"tenantId": "70784a63-d24b-46a9-a4db-0e70a274b056",
"tenantType": "ORGANISATION",
"tenantName": "Maple Florist",
"createdDateUtc": "2019-07-09T23:40:30.1833130",
"updatedDateUtc": "2020-05-15T01:35:13.8491980"
},
{
"id": "32587c85-a9b3-4306-ac30-b416e8f2c841",
"authEventId": "d0ddcf81-f942-4f4d-b3c7-f98045204db4",
"tenantId": "e0da6937-de07-4a14-adee-37abfac298ce",
"tenantType": "ORGANISATION",
"tenantName": "Adam Demo Company (NZ)",
"createdDateUtc": "2020-03-23T02:24:22.2328510",
"updatedDateUtc": "2020-05-13T09:43:40.7689720"
}
]
If you need more information than the organisations' id and name, you'll need to call the /organisation endpoint individually for each.
The connections endpoint is described more in section 5 on this page of the docs: https://developer.xero.com/documentation/oauth2/auth-flow
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
I'm building a web app and using OAuth2 to authenticate. For testing purposes, I would like to test what happens when the access token expires and the refresh token is needed to re-authenticate. Since the salesforce oauth token does not contain an "expiry date" parameter, how would i forcefully expire the salesforce access token.
This is what is returned when a token is requested.
{
"oauth_token": {
"access_token": "<access token>",
"id": "https://login.salesforce.com/id/00DG0000000imtwMAA/005G0000001CFgeIAG",
"id_token": "<id token>",
"instance_url": "https://na47.salesforce.com",
"issued_at": "1522400000",
"refresh_token": "<refresh token>",
"scope": [
"refresh_token",
"full"
],
"signature": "<signature>",
"token_type": "Bearer"
}
}
If you want to do it manually, you can go to Setup > Security Controls > Session Management, then select the session from the list and remove it. Alternatively, if you need to do it programmatically, you could query and delete these records, which are stored in the AuthSession object.
Once you've done that, your access token will be expired, and attempts to use it will produce:
[ {
"message" : "Session expired or invalid",
"errorCode" : "INVALID_SESSION_ID"
} ]
Your refresh token will still be valid though, and you can use it to request a new access token.