Can we customize the access token, I have implemented an OAuth server using laravel passport and I need to differ my access token from others providers, I need to make it start by a prefix (for example the amazon access token always start by Atzr|...). please help!
Access tokens are created by the authorization server to which they belong. You as a developer have no control over what the access token contains or how it is created.
Unless of course you own the authorization server in that case you would be able to control how the access token looks.
Answer
I need to make it start by a prefix (for example the amazon access token always start by Atzr|...).
Sorry only amazon can do that. TBH I'm not sure why it matters to you how an access token looks.
Related
I am trying to understand how oauth protocol works. The books says that it involves two steps, when the end user first provides login information, the api provider returns a access code, and then another call is made to api provide with the access code and then we get the access token.
My question is that why can't the api provider returns the access token in steps when we it returns the access code instead? Why does it return first the access code and then the access token?
Basically to keep the access token out of the user's browser, where it is at higher risk of getting stolen or lost.
The authorization code flow that you are describing was originally meant to get the token to a web application hosted on a server. The web application would get the auth code from the browser and would need a special secret to exchange that code for an access token. This flow also allowed the web application to obtain a refresh token it could use to get new access tokens without the user's interaction.
The implicit flow would return the access token directly to the browser. It is considered unsafe and is deprecated in OAuth 2.1.
There's an RFC about the implementation of OAuth here: https://www.rfc-editor.org/rfc/rfc6749#section-1.3
i am currently searching for a way to login into the Twitch-API using an already given id-token (oauth or even better oidc) with or without a NodeJS backend.
Background: I am using firebase connecting to various services next to Twitch-API such as Youtube (Google API), Twitter and Co. I want to use my id-token for each service.
The official documentation doesn't tell if that is possible or maybe i just couldn't find it.
Hopefully there is a solution just not yet documented.
I will struggle with the same problem using the other services aswell.
Thanks alot
You absolutely would need to create your own OAuth token as it is tied to the same Client-ID as the account that generates it.
https://dev.twitch.tv/console
Authentication has it's own flow and endpoints with the way kraken v5 and helix work.
https://dev.twitch.tv/docs/authentication
With the latest changes to the API everything now requires both the Client-ID and OAuth before it will return the requested values.
https://discuss.dev.twitch.tv/t/requiring-oauth-for-helix-twitch-api-endpoints/23916
I'm not sure exactly what "id-token" is but i'm going with "twitch-user-id and access-token".
If you have a valid access token, you have access to whatever the scopes were defined when that token was generated, you can update the token with the refresh token if you need to.
You would need to supply the Client-ID of the application the token was generated for aswell.
Unless "id-token" is meant for a different system.
I've been building and tinkering with Bearer tokens and OAuth/OAuth2 for a couple years now. And I feel like I have it decently understood, but when I search for how to do what I want, I can't seem to find it.
General understanding. There's a server that GRANTS tokens (and validates/invalidates/refreshes tokens as well). And then there's servers (or apps) that utilize the token. I'm not doing anything with external api libraries, but we have several company sites and I want to create a single login server that grants access tokens.
So I would have 1 server to GRANT the tokens, and then a separate API server that uses that token to authorize a user to endpoints and of course the front end portion. But the issue I seem to run into is figuring out how to setup a server to USE the token. Everyone just seems to explain how to create the server that grants it. That's cool, and I know how to get a token from google and use it. But I want to create a server that is granting authorization via access tokens.
So, my SPA app, lets say react, request an access token from server A which is an OAuth2 server. We're using credentials flow since it's company/registered users logging in. If they are successful, they are granted an access and identity token. Cool. Store those on the front end. Then, I want to request my...appointments from server B, the websites API server. I pass said access token as a bearer token. Server B should be setup as an OAuth 2 server but only as a client server. If the scope and client of the access token (and the secret of course) don't match the access token, the user is denied access to server B's endpoints. Server B doesn't NEED to validate the access token since it's aware of the secret used from Server A. It can validate it itself.
Is this correct or am I massively looking at OAuth2 wrong?
Watching this video, it details in OAuth2 that the client application first has to get the authorization grant from the Authorization server and then use that grant to get a token before being able to access the resource server. What purpose does the grant serve? Why not give the client the token right away after the user signs on with his/her username and password?
Because it is more secure, for some application types.
What you describe is so called authorization-code-flow. It is normally used for "classical" web applications, where only the backend needs to access resource server. The exchange of authorization code to access token happens on the backend and access token never leaves it. Exchange can be done only once and in addition client id and secret (stored on the backend) are necessary.
Single-Page-Applications often use implicit-flow where access token is delivered to the frontend directly in the URL.
See more here:
IdentityServer Flows
EDIT: Q: "I still don't see how it is more secure given that you have to have the grant in order to get the token. Why need 2 things instead of just 1 thing to access the resource? If someone steals the token, they can access the resource anyway – stackjlei"
"Stealing" access token will work independent on how your application acquires it. However, stealing access token on the backend is much more difficult than on the frontend.
Authorization code is delivered to the backend also over the frontend but the risk that someone intercepts and uses it is tiny:
It can be exchanged only once.
You need client-id and client-secret in order to exchange it. Client-secret is only available on the backend.
Normally, authorization code will be exchanged by your backend to access-token immediately. So the lifetime of it is just several seconds. It does not matter if someone gets hold of used authorization code afterwards.
In your scenario there could be two servers, an Authorization and a Resource one.
It could be only one as well, but let's imagine this scenario.
The purpose of the Authorization Server is to issue short lived access tokens to known clients. The clients identify themselves via their CLientID and CLientSecret.
The Authorization Server ( AS ) holds the list of clients and their secrets and first checks to make sure the passed values match its list. If they do, it issues a short lived token.
Then the client can talk to the Resource Server ( RS ), while the token is valid. Once the token expires, a new one can be requested or the expired one can be refreshed if that is allowed by the Authorization Server.
The whole point here is security, Normally, the access tokens are passed in the Authorization header of the request and that request needs to be over https to make sure that the data can't be stolen. If, somehow, someone gets hold of an access token, they can only use it until it expires, hence why the short life of the tokens is actually very important. That's why you don't issue one token which never expires.
You have different type of OAuth. On type doesn't require to use the 'grant' authorization. It depend who are the user/application, the ressource owner and the server API.
This way, you - as a user - don't send the password to the application. The application will only use the grant token to gain access to your ressources.
I think this tuto is a pretty good thing if you want more details
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.