I am using service to service authentication, I get the access token in my daemon service using OAuth 2.0 Client Credential flow using following end point and use it to access Dynamics 365 Web API's
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Now my daemon service wants to revoke or logout the token how can I achieve this. Please help me on this. What is the token revoke end point?
Related
I used Serverless to create API gateway endpoints + lambda functions. I want to secure API gateway endpoints using the access token oAuth. I am trying to provide credentials (sign up and sign in) in my iOS native app. Here are the facts I learned.
I want to secure my API gateway using OAuth and access token.
Because I have already created API gateway endpoints and lambda functions, Signup and Sign in using Amplify is not the best idea. I can't use Amplify's access token in the API gateway because in the Cognito user pool (under App Client Settings) I have selected Authorization Code grant (instead of implicit which is not that secure and client credentials are for the machine to machine) type OAuth flow.
I have in app Sign up and Sign in UI and don't want to use Hosted UI.
I want to authenticate and authorise users of my app.
My question is:- Can I use the Authorization code grant type without using Hosted UI or web browser? i.e. make a rest call with username and password and get the Authorization code. Once I get the Authorization code then make a call to the token endpoint to get the access token. Once I get the access token then call API gate with that access token. All of the above natively without using a browser or hosted UI.
Thank you very much in advance.
I have a SPA and a backend API service. The google user signs in to the SPA at which point I obtain their access token & id token.
The backend service uses google identity to authenticate users of it using the id token. However one of the the backend services features needs to request data from the google analytics API which requires the users access token.
In this senario do I send both the id token and access token to my back end service?
Yes, in this scenario you could send the access token to your backend service so that it can contact Google's API. In most cases, access tokens are used as bearer tokens, which means that any client in possession of that token can use it to call the API. That's why you can pass a token issued to the SPA to a backend service and still be able to call Google's API.
At the same time, you should think of security implications. You should not send the access token to any services that you're not in control of. Meaning, you should not send the access token to service XYZ because that service needs it to call Google's API with a user's token if service XYZ is not under your control.
We have an application hosted on AWS using Cognito Service, with Azure AD acting as the Identity provider. The solution works great with username and password, authenticating against the Cognito user pool.
We now need the above to work for service-to-service call scenario.
The unattended scheduled service will call another service (all hosted in AWS) but will need to authenticate with access token.
I was thinking of using client credential flow. But I could not find an approach which will work for the above scenario (i.e) client credential flow with Cognito using Azure AD as Identity provider.
When I go Azure AD Application Registration and view the endpoints, the oauth2/token endpoint shows up, but I have not figured out how this will work with Cognito.
Does any one know how to implement this?
In cognito if you use client credentials flow, there will not be any federated Identity provider involved. There will be no users so no need to use Azure AD to generate tokens. You will make the access request using Client Id and Client Secret and will be granted an access token that you can use.
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
I'm developing a set of microservices exposed as REST through WSO2 API manager.
Now, I'd like to call these services in Angular front end. What is the best way to handle user authentication and authorization?
I found it can be done through OAuth2 Password Grant as described here?
When user logs in, user credentials will be sent to specific WSO2 APIM endpoint (/token), it validates, generates the token and this token will be sent in header for subsequent calls.
Is this the best approach to this case?
Thanks in advance,
As mentioned in your question, https://apim.docs.wso2.com/en/next/learn/api-security/oauth2/grant-types/password-grant/
This method will only work when you have the resource owner's username and password.
Take an example, suppose you have published the APIs and created a user (resource owner) in the WSO2 store. this user is subscribed to the API using the application. the application will have a client id and secret, which will be used to generate the OAuth2.0 token. this token will be used to invoke the APIs.
Now in your angular project, one way is to hardcode the base64(clientid:clientsecret) and call the token API to generate the OAuth2.0 bearer token. use the generated token to call the APIs onboarded on WSO2. To protect your APIs from the attack, use rate limiting based on IP
Now take another situation, if you want the user to authenticate first, then generate the JWT token for that user using the password grant type (using actual user's username and password), and using that JWT generate the OAuth2.0 Bearer token which will be used to call the APIs.
Steps to be performed for the second situation:
during registration (from Angular), internally onboard the user in the WSO2 Identity Server. (There is a WSO2 API for the same)
After registration, generate the JWT token from the identity server by authenticating username and password. (Again for this, WSO2 API is there)
now using this JWT token, Generate the OAuth2.0 token from WSO2 APIM
use this token to call the APIs
The second approach is the ideal approach for user to service authentication and authorization using WSO2 as the gateway while the first approach mainly focuses on service to service authentication and authorization
Hope this answers your question
Reference Link: https://medium.com/wso2-learning/how-to-protect-your-apis-with-self-contained-access-token-jwt-using-wso2-api-manager-and-wso2-75673d8a4686
I'm successfully getting an access token to resource https://manage.office.com from https ://login.microsoftonline.com/MYTENANTID/oauth2/token using grant_type client_credentials with my client ID and client secret.
But I always get "Authorization has been denied for this request" back when I try to use that token with to start a subscription using https ://manage.office.com/api/v1.0/MYTENANTID/activity/feed/subscriptions/start?contentType=Audit.SharePoint
There is only one Tenant. My app is in the same tenant I'm trying to access.
Do I have to do the client certificate thing with the manifest or can I use the secret key? This is service to service. Or is it that I'm not getting an authorization code first? I didn't think I needed to do that since this scenario doesn't require content
Any help greatly appreciated.
Based on the test, I am also not able to call this rest via the token request with the client id and secret.
To use this API, you can generate a self-signed certificate. Detail step about use certificate to request the app-only token please refer here.