Limited user's token scope on user password grant flow - oauth-2.0

I have a Keycloak instance with :
user1 / password1
user2 / password2
client / secret with Direct Access Grants Enable and scopes : resourceA, resourceB
When I do a password grant flow like :
curl --location --request POST 'https://keycloak.instance/auth/realms/my-realm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=client' \
--data-urlencode 'client_secret=secret' \
--data-urlencode 'username=user1' \
--data-urlencode 'password=password1'
I want to retrieve a token with the scope : resourceA and NOT resourceB.
And when the same call is made using user2, I want ONLY resourceB scope.
Is there a way to configure this rule in Keycloak to only have a token with an intersection of scope/role of the client and the grant user ?

Related

Migrate Authy TOTP to verify

We are trying to migrate the TOTP factor from Authy to Verify API in Twilio. We reference the following article for the same
https://www.twilio.com/docs/authy/export-totp-secret-seed-for-migrating-to-verify-totp#export-totp-secret-seed-of-a-user
From above URL, we were able to pinpoint how to extract the secret created in the Authy. But, we are unsure as to how a secret extracted from the Authy can be used to create a factor in the Verify API. Can you please tell us in detail how to achieve the same?
Since I don't know what programming language you're using, I'll use cURL commands and you can translate those HTTP requests into your language of choice.
First, you'll need to ask Twilio support to enable the migration tools for your Authy app. They will ask you for Authy app ID which you can find in the URL of the Twilio Console when you navigate to your Authy app.
Then you can use the export TOTP secret API that you linked earlier:
curl -i "https://api.authy.com/protected/json/users/$AUTHY_USER_ID/secret/export" \
-H "X-Authy-API-Key: $AUTHY_API_KEY"
$AUTHY_USER_ID is the individual Authy User ID for which you are
trying to move their TOTP factor to the Verify service.
$AUTHY_API_KEY is the API key for your Authy App.
The output will look like this:
{"secret":"[REDACTED]","otp":"[REDACTED]","success":true}
The secret is what you need to create a Factor in the Verify service
The otp is the one time passcode, the same as what the user would see in their TOTP consumer app (Authy/Google Authenticator/etc).
Now you can use the Verify API to create a new Factor:
curl -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Entities/$IDENTITY/Factors" \
--data-urlencode "Binding.Secret=$EXPORTED_AUTHY_SECRET" \
--data-urlencode "Config.Alg=sha1" \
--data-urlencode "Config.TimeStep=30" \
--data-urlencode "Config.CodeLength=6" \
--data-urlencode "Config.Skew=1" \
--data-urlencode "FriendlyName=John's Phone" \
--data-urlencode "FactorType=totp" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
$VERIFY_SERVICE_SID is the SID of your Verify Service.
$IDENTITY is a unique ID for your user, length between 8 and 64 characters, generated by your external system, such as your user's UUID, GUID, or SID. If the identity does not exist yet, it'll be created automatically as part of this API call.
$EXPORTED_AUTHY_SECRET is the secret that was returned by the Authy Export API earlier.
$TWILIO_ACCOUNT_SID is your Twilio Account SID.
$TWILIO_AUTH_TOKEN is your Twilio Auth Token.
This API call is documented here: https://www.twilio.com/docs/verify/quickstarts/totp#create-a-new-totp-factor
You can use the otp returned by the Authy Export API to verify the new Factor you created:
curl -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Entities/$IDENTITY/Factors/$FACTOR_SID" \
--data-urlencode "AuthPayload=$OTP_CODE" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
$FACTOR_SID is the SID of your newly created Factor.
$OTP_CODE is the otp code returned by the Authy Export API.
This API call is documented here: https://www.twilio.com/docs/verify/quickstarts/totp#verify-that-the-user-has-successfully-registered
That's it! If you want to verify your user's OTP code, you can create a challenge like this:
curl -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Entities/$IDENTITY/Challenges" \
--data-urlencode "AuthPayload=$OTP_CODE" \
--data-urlencode "FactorSid=$FACTOR_SID" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
$OTP_CODE is the otp code given to your application by your user.
This API call is documented here: https://www.twilio.com/docs/verify/quickstarts/totp#validate-a-token
When exporting from Authy API and creating new factors in Verify, you need to do this quickly so you can verify the new factor using the OTP code given from the Authy export. Here's how I did it for a single Authy user using a bash script:
#!/bin/bash
EXPORTED_RESPONSE=$(
curl -s "https://api.authy.com/protected/json/users/$AUTHY_USER_ID/secret/export" \
-H "X-Authy-API-Key: $AUTHY_API_KEY"
)
echo "$EXPORTED_RESPONSE"
EXPORTED_AUTHY_SECRET=$(echo -n "$EXPORTED_RESPONSE" | jq -r .secret)
OTP_CODE=$(echo -n "$EXPORTED_RESPONSE" | jq -r .otp)
IDENTITY=$(uuidgen)
NEW_FACTOR_RESPONSE=$(curl -s -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Entities/$IDENTITY/Factors" \
--data-urlencode "Binding.Secret=$EXPORTED_AUTHY_SECRET" \
--data-urlencode "Config.Alg=sha1" \
--data-urlencode "Config.TimeStep=30" \
--data-urlencode "Config.CodeLength=6" \
--data-urlencode "Config.Skew=1" \
--data-urlencode "FriendlyName=John's Phone" \
--data-urlencode "FactorType=totp" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN)
echo "$NEW_FACTOR_RESPONSE"
FACTOR_SID=$(echo -n "$NEW_FACTOR_RESPONSE" | jq -r .sid)
VERIFY_FACTOR_RESPONSE=$(curl -s -X POST "https://verify.twilio.com/v2/Services/$VERIFY_SERVICE_SID/Entities/$IDENTITY/Factors/$FACTOR_SID" \
--data-urlencode "AuthPayload=$OTP_CODE" \
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN)
echo "$VERIFY_FACTOR_RESPONSE"
The various environment variables that were described earlier should be set prior to executing this.

How Get a 2 Legged Token Autodesk?

I need to get "Get a 2-Legged Token" verification for a read-only access to upload files entered by other users but I'm running into the following error:
{
"developerMessage": "The required parameter(s) client_id,client_secret,grant_type not present in the request",
"errorCode": "AUTH-008",
"more info": "https://forge.autodesk.com/en/docs/oauth/v2/developers_guide/error_handling/"
}
I followed exactly the example on the site changing just my "client id" and my "client secret":
https://forge.autodesk.com/en/docs/oauth/v1/tutorials/get-2-legged-token/
can anybody help me?
The single quote is wrong format in header of curl.
Try this format
curl --location --request POST 'https://developer.api.autodesk.com/authentication/v1/authenticate' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=your_client_id_xxx' \
-d 'client_secret=your_client_secret_xxx' \
-d 'grant_type=client_credentials' \
-D 'scope=data:read'
It will be return access token
I am using Postman for HTTP call.
It is more convenient

Google Drive API - Invalid Credentials

I want to use a scripted approach (probably via) curl, to access some simple info from the drive api, like creation date. Essentially I want to script what I can do in their web interface: https://developers.google.com/drive/api/v3/reference/files/list.
I having been using a curl command that they expose in a query at the above link:
curl \
'https://www.googleapis.com/drive/v3/files?corpora=user&q=createdTime%20%3E%20%272021-11-23T12%3A00%3A00%27&key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--compressed
I have created an API key for this purpose (unrestricted for now). And used this app to generate an access token: https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=735795831119-kcpkamhiaojavqrt67mti7thcaa6ce87.apps.googleusercontent.com
But I have spent hours chasing my tail over the 401 Invalid Credentials error. Any help on getting a more specific error message, or better way to do this seemingly simple query would be appreciated. Thanks!
The result of the link below is an Authorization code.
https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=735795831119-kcpkamhiaojavqrt67mti7thcaa6ce87.apps.googleusercontent.com
You need to exchange it to https://accounts.google.com/o/oauth2/token to generate an Access Token:
curl \
--request POST \
--data "code=[Authentcation code from authorization link]&client_id=[Application Client Id]&client_secret=[Application Client Secret]&redirect_uri=urn:ietf:wg:oauth:2.0:oob&grant_type=authorization_code" \
https://accounts.google.com/o/oauth2/token
The result of the curl above is something like this:
{
"access_token": "access token here",
"expires_in": 3599,
"refresh_token": "refresh token here",
"scope": "https://www.googleapis.com/auth/drive",
"token_type": "Bearer"
}
Now you have the access token, you can paste it in the code below alongside with your API key.
curl \
'https://www.googleapis.com/drive/v3/files?corpora=user&q=createdTime%20%3E%20%272021-11-23T12%3A00%3A00%27&key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--compressed
Note:
Make sure you enable the Drive API in GCP
Application Client Id and Application Client Secret can be found after you created an OAuth 2.0 Client ID in GCP.
Reference:
DaImTo answer on How to connect to the Google Drive API using cURL.

Configure client_id as mandatory param for password grant type

What is the proper way to make client_id a mandatory param for password grant type?
Using this request I want to make client_id a mandatory value and let the OAuth2 framework to compare it with the result returned into the method loadClientByClientId
curl --location --request POST 'http://localhost:8080/engine/oauth/token' \
--header 'Authorization: Basic YWRtaW46cXdlcnR5' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=qwerty' \
--data-urlencode 'client_id=some_value' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=read_profile'
What is the best way to implement this?
You could try implementing a custom OAuth2RequestValidator with method validateScope(TokenRequest tokenRequest, ...) from the docs
Ensure that the client has requested a valid set of scopes.
which has access to TokenRequest.getRequestParameters()
EDIT
See also the docs for the TokenEndpoint
Clients must be authenticated (...) to access this endpoint, and the client id is extracted from the authentication token. (...)

Keycloak 11.0.0 generating token scope parameter invalid

I'm in the process of updating Keycloak straight from version 6.0.1 to 11.0.0, the db migration was successful and was able to login into admin console, however the token generation seems to be broken, I'm sending below curl to generate token
curl --location --request POST 'http://localhost:8480/auth/realms/test/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=testUser' \
--data-urlencode 'password=testPassword' \
--data-urlencode 'scope=testRole' \
--data-urlencode 'client_id=testService' \
--data-urlencode 'client_secret=testServiceSecret'
On sending above request Keycloak complains of Invalid Scopes: testRole, however I've verified the role and user role mappings are in place and this used to work well with Keycloak 6.0.1.
Just on side note, our clients are Full scoped, so it something that is causing issue? Or something else have got changed or is there a way to ignore invalid scopes altogether while generating token?

Resources