We have several microservices that communicate with each other and all these microservices use Oauth2 authorization to allow access to its API. The flow starts from the UI where we use the standard 'authorization_code' flow and finally get an access_token to invoke a specific API-1 service (Registered for client_id '123'). The UI then sends a request to the API-1 (client_id 123) and our API-1 now verifies the access token passed with auth server. Once it is valid this API now wants to communicate with another API (API-2) (Our internal microservice) which needs an access_token. We cannot re-use the same access_token as it is intended for a specific client. API-1 could use a token exchange to talk to API-2 but the developers of API-1 do not wan to do any token exchange. What are the options we have in this case?
Thanks
The typical solution is to let API1 contact your token service, using its access token and exchange it using the token exchange standard, for a new access token to access API2.
See OAuth 2.0 Token Exchange and check with your token provider for details.
Related
I have a SPA and a backend API service. The google user signs in to the SPA at which point I obtain their access token & id token.
The backend service uses google identity to authenticate users of it using the id token. However one of the the backend services features needs to request data from the google analytics API which requires the users access token.
In this senario do I send both the id token and access token to my back end service?
Yes, in this scenario you could send the access token to your backend service so that it can contact Google's API. In most cases, access tokens are used as bearer tokens, which means that any client in possession of that token can use it to call the API. That's why you can pass a token issued to the SPA to a backend service and still be able to call Google's API.
At the same time, you should think of security implications. You should not send the access token to any services that you're not in control of. Meaning, you should not send the access token to service XYZ because that service needs it to call Google's API with a user's token if service XYZ is not under your control.
I'm learning about the OAuth /introspect endpoint as a means to validate an Access Token. I'm using Okta, which I think is relevant to the question.
I've read online that the /introspect endpoint is intended to be called by an OAuth Resource Server (for example, an OAuth Client would call a Resource Server, providing an Access Token, and the Resource Server would call the /introspect endpoint to make sure the token is valid).
However, the /introspect endpoint (at least with Okta) requires you to provide the OAuth Client credentials (either as a basic auth header, or in the case where there is no client secret, just a client_id request param).
So, how can the Resource Server call the /introspect endpoint when it doesn't have the OAuth Client ID and/or secret? This is making me wonder if the /introspect endpoint is meant to be called by the OAuth Client instead, which to me, doesn't seem as useful.
Please refer to this article. Resource server needs to be a registered client application at Okta and client credentials in /introspect refer to this client's.
Based on my understanding the introspection endpoint is meant to be called by an API resource.
This endpoint is used by the API resource in order to validate the bearer token provided with an incoming HTTP request issued by a client application.
Most of the times this happens when the provided bearer token is a reference token, so the API resource server needs to known whether the provided reference token is associated with a valid access token. This information must be asked to the secure token server via a call to the introspection endpoint.
You can find more information here in the identity server docs. Identity server is a .NET implementation of the openid connect protocol, which is based itsel on oauth2.
This is a documentation that shows you how to call the introspection endpoint programmatically. This documentation is specific for a .NET library called identity model, but this is not relavant for your question, because the library simply implements the protocol.
As you can see in the example of the linked documentation, the client id that you need to specify when you call the introspection endpoint is simply the name of the API resource. The client secret is the API resource secret that you have defined for your API resource.
So, the source of your confusion is simply a terminology overload. In the context of the call to the introspection endpoint both of the following equations hold true:
client id == API resource name
client secret == API resource secret
This docs confirm both of my assumptions.
If it helps here are a few resources of mine, to add to Enrico's answer:
API Setup - see step 6 - you have to register an OAuth Client for the API
API OAuth Messages - see steps 16, 17 and 19 for the three types of response your API needs to deal with
API Code - for an example implementation in NodeJS
So my understanding of OAuth2 from a mobile client is:
Mobile client redirects page to get user auth using client id
Resource holder responds back with an auth_code
auth_code is exchanged for an access_token and refresh_token
In the above, if you have a web service that is acting to support your mobile app, you permanently store the access_token and refresh_token, which will allow you to continue to access the user's data, provided they haven't revoked your permissions.
So the question I had was: should the auth_code be sent to the service, and exchanged there for the tokens? Or should the client exchange the auth_code, and send the resulting tokens to the service? Does it not matter, or is it perhaps different for different implementations? I'm assuming the client secret is only stored on the service, and my understanding is that is needed to exchange a refresh_token for a new access_token, but I wasn't sure about the auth_code.
The client secret is needed also when requesting the tokens using the authorization code.
The client can request the tokens directly or delegate that to the service - there is not a hard and fast rule saying you should do one or the other.
I'd say if the service is going to use the tokens probably delegating to the service makes most sense - so the tokens stay there. If the client is going to use the tokens both approaches are valid.
I'm trying to understand both OAuth 2.0 and OpenID Connect and i have an important question: How OpenID Connect Endpoints communicate with each other ?
Example : In case of an Authorization Code Flow, if The Authorization EndPoint gives an access_token to the Client, this one will send this token to UserInfo Endpoint to get User Information.
So the question here is, how UserInfo Endpoint can verify that the access_token issued bu the Client is the right one ? is there in ommunication between those two endpoints ?
Thanks for answering.
UserInfo Endpoint must be able to interpret access tokens issued from Authorization Endpoint or Token Endpoint.
In a simple implementation, all the endpoints are implemented on one server. In this case, UserInfo Endpoint can get information about access tokens easily only by referring to the same database table storing access tokens issued by Authorization Endpoint or Token Endpoint.
On the other hand, if Authorization Endpoint and Token Endpoint are implemented on an authorization server and UserInfo Endpoint is implemented on a resource server, the resource server must inquire of the authorization server to get information about access tokens. RFC 7662 (OAuth 2.0 Token Introspection) is the standard defining how to get information about an access token from an authorization server.
RFC 7662 is the standard for token introspection, but implementers of authorization/resource servers do not necessarily have strong motivation to support the specification. See "4. Introspect Access Token" if you are interested in why.
BTW, in Authorization Code Flow, an access token is issued not from Authorization Endpoint but from Token Endpoint. What is issued from Authorization Endpoint in the flow is an authorization code (not an access token).
Is it possible to exchange an OAuth2 access token (or OpenID Connect id_token) for a WS-* SAML token?
Here is our specific scenario that we would like to accomplish:
A user has been authenticated using an OpenID Connect endpoint and issued an id_token.
The same user has been authorized using an OAuth 2 endpoint and issued an access token.
A single-page application (SPA) requests data from a secured ASP.NET Web API and it sends the id_token and access token.
Here's the question/tricky part: We would like the ASP.NET Web API to fetch data from a WCF service that is secured using WS-*, so the WCF service requires a signed SAML token.
Is it possible to exchange the OpenID Connect id_token and/or the OAuth 2 access token for a SAML token that conforms to WS-* specifications?
We would like to use ADFS on Windows Server 2016, but we're also open to other secure token services (STS), such as Azure ADFS, etc.
It seems that you could implement access token exchange in your OAuth server as there is nothing in the spec strictly forbidding it.
OAuth doesn't make any explicit specifications for what shape your access token or refresh tokens are in. So you could use WS-* or whatever suits your client/RP needs.
You could use any of these types of tokens:
WS-Security tokens, especially SAML tokens
JWT tokens
Custom tokens
The id_token itself MUST be a JWT, however.