I need to understand why refresh token issued by AAD is not in JWT format( i used Auth Code grant type for generation of refresh token). It looks something like as follows 0.ATYAoWHs1YRqUk-OAYpDkwKjaYAEJhrbDpBNmWw7q0NZVas2APk....(rest of the token).
Also if we can get this refresh token in JWT format then how can we do that.
Thanks
Abhishek
It isn't in JWT format because it does not need to be.
A refresh token is data that you send to the identity provider to get new access tokens.
It should not have any other meaning for your application.
Store it securely and send it to AAD when you need new tokens.
Then take the new refresh token you get in the response and overwrite your previous refresh token with that.
The OAuth 2 RFC also talks about it https://www.rfc-editor.org/rfc/rfc6749#page-10:
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
I'm working on implementing OAuth 2.0 to a stack of apps I have to reduce the required login credentials. However I am struggeling in understanding the OpenID Connect on top of OAuth 2.0 and how I am supposed to verify the JWT token given. Should the public key be supplied inside the actual token so that the client can check the signature?
Also, correct me if I'm wrong, but I believe this token is never sent to the resource server, but acts as a "helping hand" for the client to serve correct output to the user based on information given in the token? If so, is there a set of standards on what type of information each JWT should contain?
A Identity Token is sent following a Successful Token Response which is typically a JWT.
The ID Token validation is described within Section 3.1.3.7. ID Token Validation.
For ID tokens secured with the RSA or EC signature (e.g. RS256), you need the IdP’s public JSON Web Key (JWK) set. It is published as a simple JSON document at an URL which is also advertised in the OpenID Provider’s metadata] in the jwks_uri parameter. You can check out Google’s JSON Web Key (JWK) to see what such as JWK set looks like.
For ID tokens secured with an HMAC (e.g. HS256) you use the client_secret to perform the validation.
I'm implementing OAuth 2.0 in my API. We're using JWTs for authentication, and refresh tokens for client-only reauthorization. Should I ask the client to also provide the userId in the body of POST /token so that they're required to know the user and the refresh token together (so you can't just try a bunch of random strings and see what works)? What's the standard?
Guessing a refresh token should not be possible if the spec is implemented correctly; https://www.rfc-editor.org/rfc/rfc6749#section-10.4 says:
The authorization server MUST ensure that refresh tokens cannot be
generated, modified, or guessed to produce valid refresh tokens by
unauthorized parties.
You must make sure that you generate refresh tokens with enough entropy so that the randomness of your refresh token would not become any different by adding the userid to it. Or to put it yet differently: guessing your refresh token would be just as hard as guessing userid+refresh token. Besides that, adding a user id in the POST would make it actually more predictable than adding a random string to the refresh token with the length of the userid.
According to RFC6750-The OAuth 2.0 Authorization Framework: Bearer Token Usage, the bearer token is:
A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can.
To me this definition is vague and I can't find any specification.
Suppose I am implementing an authorization provider, can I supply any kind of string for the bearer token?
Can it be a random string?
Does it have to be a base64 encoding of some attributes?
Should it be hashed?
And does the service provider need to query the authorization provider in order to validate this token?
Bearer Token
A security token with the property that any party in possession of
the token (a "bearer") can use the token in any way that any other
party in possession of it can. Using a bearer token does not
require a bearer to prove possession of cryptographic key material
(proof-of-possession).
The Bearer Token is created for you by the Authentication server. When a user authenticates your application (client) the authentication server then goes and generates for you a Token. Bearer Tokens are the predominant type of access token used with OAuth 2.0. A Bearer token basically says "Give the bearer of this token access".
The Bearer Token is normally some kind of opaque value created by the authentication server. It isn't random; it is created based upon the user giving you access and the client your application getting access.
In order to access an API for example you need to use an Access Token. Access tokens are short lived (around an hour). You use the bearer token to get a new Access token. To get an access token you send the Authentication server this bearer token along with your client id. This way the server knows that the application using the bearer token is the same application that the bearer token was created for. Example: I can't just take a bearer token created for your application and use it with my application it wont work because it wasn't generated for me.
Google Refresh token looks something like this: 1/mZ1edKKACtPAb7zGlwSzvs72PvhAbGmB8K1ZrGxpcNM
copied from comment: I don't think there are any restrictions on the bearer tokens you supply. Only thing I can think of is that its nice to allow more than one. For example a user can authenticate the application up to 30 times and the old bearer tokens will still work. oh and if one hasn't been used for say 6 months I would remove it from your system. It's your authentication server that will have to generate them and validate them so how it's formatted is up to you.
Update:
A Bearer Token is set in the Authorization header of every Inline Action HTTP Request. For example:
POST /rsvp?eventId=123 HTTP/1.1
Host: events-organizer.com
Authorization: Bearer AbCdEf123456
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/1.0 (KHTML, like Gecko; Gmail Actions)
rsvpStatus=YES
The string "AbCdEf123456" in the example above is the bearer authorization token. This is a cryptographic token produced by the authentication server. All bearer tokens sent with actions have the issue field, with the audience field specifying the sender domain as a URL of the form https://. For example, if the email is from noreply#example.com, the audience is https://example.com.
If using bearer tokens, verify that the request is coming from the authentication server and is intended for the the sender domain. If the token doesn't verify, the service should respond to the request with an HTTP response code 401 (Unauthorized).
Bearer Tokens are part of the OAuth V2 standard and widely adopted by many APIs.
As I read your question, I have tried without success to search on the Internet how Bearer tokens are encrypted or signed. I guess bearer tokens are not hashed (maybe partially, but not completely) because in that case, it will not be possible to decrypt it and retrieve users properties from it.
But your question seems to be trying to find answers on Bearer token functionality:
Suppose I am implementing an authorization provider, can I supply any
kind of string for the bearer token? Can it be a random string? Does
it has to be a base64 encoding of some attributes? Should it be
hashed?
So, I'll try to explain how Bearer tokens and Refresh tokens work:
When user requests to the server for a token sending user and password through SSL, the server returns two things: an Access token and a Refresh token.
An Access token is a Bearer token that you will have to add in all request headers to be authenticated as a concrete user.
Authorization: Bearer <access_token>
An Access token is an encrypted string with all User properties, Claims and Roles that you wish. (You can check that the size of a token increases if you add more roles or claims).
Once the Resource Server receives an access token, it will be able to decrypt it and read these user properties. This way, the user will be validated and granted along with all the application.
Access tokens have a short expiration (ie. 30 minutes).
If access tokens had a long expiration it would be a problem, because theoretically there is no possibility to revoke it. So imagine a user with a role="Admin" that changes to "User". If a user keeps the old token with role="Admin" he will be able to access till the token expiration with Admin rights.
That's why access tokens have a short expiration.
But, one issue comes in mind. If an access token has short expiration, we have to send every short period the user and password. Is this secure? No, it isn't. We should avoid it. That's when Refresh tokens appear to solve this problem.
Refresh tokens are stored in DB and will have long expiration (example: 1 month).
A user can get a new Access token (when it expires, every 30 minutes for example) using a refresh token, that the user had received in the first request for a token.
When an access token expires, the client must send a refresh token. If this refresh token exists in DB, the server will return to the client a new access token and another refresh token (and will replace the old refresh token by the new one).
In case a user Access token has been compromised, the refresh token of that user must be deleted from DB. This way the token will be valid only till the access token expires because when the hacker tries to get a new access token sending the refresh token, this action will be denied.
Bearer token is one or more repetition of alphabet, digit, "-" , "." , "_" , "~" , "+" , "/" followed by 0 or more "=".
RFC 6750 2.1. Authorization Request Header Field (Format is ABNF (Augmented BNF))
The syntax for Bearer credentials is as follows:
b64token = 1*( ALPHA / DIGIT /
"-" / "." / "_" / "~" / "+" / "/" ) *"="
credentials = "Bearer" 1*SP b64token
It looks like Base64 but according to Should the token in the header be base64 encoded?, it is not.
Digging a bit deeper in to "HTTP/1.1, part 7: Authentication"**,
however, I see that b64token is just an ABNF syntax definition
allowing for characters typically used in base64, base64url, etc.. So
the b64token doesn't define any encoding or decoding but rather just
defines what characters can be used in the part of the Authorization
header that will contain the access token.
This fully addresses the first 3 items in the OP question's list. So I'm extending this answer to address the 4th question, about whether the token must be validated, so #mon feel free to remove or edit:
The authorizer is responsible for accepting or rejecting the http request. If the authorizer says the token is valid, it's up to you to decide what this means:
Does the authorizer have a way of inspecting the URL, identifying the operation, and looking up some role-based access control database to see if it is allowed? If yes and the request comes through, the service can assume it is allowed, and does not need to verify.
Is the token an all-or-nothing, so if the token is correct, all operations are allowed? Then the service doesn't need to verify.
Does the token mean "this request is allowed, but here is the UUID for the role, you check whether the operation is allowed". Then it's up to the service to look up that role, and see if the operation is allowed.
References
RFC 5234 3.6. Variable Repetition: *Rule
RFC 2616 2.1 Augmented BNF
Please read the example in rfc6749 sec 7.1 first.
The bearer token is a type of access token, which does NOT require PoP(proof-of-possession) mechanism.
PoP means kind of multi-factor authentication to make access token more secure. ref
Proof-of-Possession refers to Cryptographic methods that mitigate the risk of Security Tokens being stolen and used by an attacker. In contrast to 'Bearer Tokens', where mere possession of the Security Token allows the attacker to use it, a PoP Security Token cannot be so easily used - the attacker MUST have both the token itself and access to some key associated with the token (which is why they are sometimes referred to 'Holder-of-Key' (HoK) tokens).
Maybe it's not the case, but I would say,
access token = payment methods
bearer token = cash
access token with PoP mechanism = credit card (signature or password will be verified, sometimes need to show your ID to match the name on the card)
BTW, there's a draft of "OAuth 2.0 Proof-of-Possession (PoP) Security Architecture" now.
A bearer token is like a currency note e.g 100$ bill . One can use the currency note without being asked any/many questions.
Bearer Token A security token with the property that any party in
possession of the token (a "bearer") can use the token in any way that
any other party in possession of it can. Using a bearer token does not
require a bearer to prove possession of cryptographic key material
(proof-of-possession).
The bearer token is a b64token string, with the requirement that if you have it, you can use it. There are no guarantees as to what the meaning of that string actually is in the specification beyond that. It is up to the implementation.
5.2. Threat Mitigation
This document does not specify the encoding or the contents of the
token; hence, detailed recommendations about the means of
guaranteeing token integrity protection are outside the scope of this
document. The token integrity protection MUST be sufficient to
prevent the token from being modified.
https://datatracker.ietf.org/doc/html/rfc6750#section-5.2
While the token could be random each time it is issued, the downside is the server side would need to keep track of the tokens data (e.g. expiration). A JSON Web Token (JWT) is often used as a bearer token, because the server can make decisions based on whats inside the token.
JWT:
https://jwt.io/
I've been trying to implement 'Sign in with Twitter', but I'm stuck at trying to work out how to get an OAuth token secret for the user.
The Twitter API docs (here) say:
To start a sign in flow, your application must obtain a request token by sending a signed message to POST oauth/request_token
...
The body of the response will contain the oauth_token, oauth_token_secret, and oauth_callback_confirmed parameters
And the docs for creating a signature (here) say:
The value which identifies the account your application is acting on behalf of is called the oauth token secret. This value can be obtained in several ways, all of which are described at Obtaining access tokens.
And the 'obtaining access tokens' page links back to here, completing the circle.
How can I obtain a token secret if I need a token secret to sign the request to obtain the token secret? What the heck?
From the docs on creating a signature:
Note that there are some flows, such as when obtaining a request token,
where the token secret is not yet known. In this case, the signing key
should consist of the percent encoded consumer secret followed by an
ampersand character '&'.
You received a consumer secret when you registered for an API key. This is what you want to sign with to obtain a request token.
I would highly recommend looking into using a library which implements at least the oauth basics such as signing if not a Twitter API library, assuming one is available for your language of choice.