I am able to generate an access token using client credential grant type
I am not sure how I can use this token in another API where an authorization code is required to get a response.
I am a newbie for OAuth 2 and completely blocked now. I am not sure do I need to generate an authorization code for my second API again or can I use token generated using client credential grant type
Related
I have a back-end processor, (imagine a chron job once a day generating reports), that needs to integrate with a third-party system. Their APIs only support the "Authorization code" grant type. The problem is I can't even fill out a request for a token as I don't have a redirect_uri (no website), and I definitely don't have a user of any kind. I'll just have the OAuth clientId and secret I provisioned via their developer portal, (Mashery), for my back-end report processor app.
I want to use the "Client credentials" grant type/flow since I'm just a back-end service.
Is there any way to fake this or hack it so my little back-end service can somehow work with authorization code flow?
Thanks in advance
No, there is no way to hack it. Client credentials only authenticate the client. A token issued for client credentials have no information about the user. If their API needs information about the user (you probably get information only about your user), then you need to have a token issued with Code Flow.
What you can do is to generate the OAuth token yourself. E.g. you can use oauth.tools to perform a Code Flow with their Authorization Server, or you can perform the flow from browser with a dummy redirect URI (e.g. http://localhost), the get the code returned from authorization request and perform a token request from curl.
Once you have an access and refresh token you can hard code them in your script (or read them from an env variable or file, etc). You can then call the API as long as the access token is valid, and use refresh token to get a new access token when it expires. You will not have to perform a new Code Flow for as long as the refresh token is valid.
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
I have configured my client to use Hybrid flow with a grant type of password and offline. The user is able to generate an access token and the response does include a refresh token.
My question is I do not see documentation on how to use the refresh token for non .Net environments. Specifically I am curious if any body has a sample refresh flow in another language or Postman that shows which endpoints to hit and what the request needs to look like when the user requests a new token via the refresh token.
Thanks in advance,
G
This is documented at http://docs.identityserver.io/en/latest/endpoints/token.html
The token endpoint can be used to programmatically request tokens. It supports the password, authorization_code, client_credentials and refresh_token grant types). Furthermore the token endpoint can be extended to support extension grant types.
Example
POST /connect/token client_id=client1&client_secret=secret& grant_type=refresh_token&refresh_token=hdh922&redirect_uri=https://myapp.com/callback
I have an Asp.NET Web Api v2 setup where I use OAuth (v2) authentication and JSON Web Tokens (JWT). If a user wants access to an endpoint they need to provide the bearer token in the Authorization header. Users need to submit a username and password and if validated they are given an access token (JWT format) that they can then present in the Authorization header. As long as the JWT contains the role accepted by the endpoint all works well.
Now I would like an automated service (another API from another developer) to access one of my endpoints. How do I go about manually generating an access token that has a long expiration date and they can use to access my endpoint without having to submit a username/password. I would like to make it as simple as possible for the outside API to access my API so I just want to be able to hand them a JWT token that they can place in their code.
I am new to OAuth and was wondering why authorization code is required?
Why authorization does not send access token or refresh token in callback response.
why not directly access token?
The Authorization Code grant uses the short-lived one-time code so that it can be exchanged for the real token (which is longer-lived and multiple-use) in a backchannel call that is more secure and can leverage credentials to authenticate the Client towards the Authorization Server.
The Implicit grant type returns the access token directly in the authorization response. It is considered to be more insecure because it is easier to attack (using crafted redirects etc.) and because there's no way to keep a client credentials secret.