I'm looking at UMA 2.0 for fine grainde authorization in my webapp. But UMA 2.0 requires a client to try accessing a resource hosted on a Resource Server, get back an HTTP 401 error and a ticket to use when asking the Authorization Service for an authorization token.
But this prereqs that the client knows which resources it wants to access or which resources do exist on the Resource Server.
In my scenario I have something similar to a set of repositories on GitHub and a user can be authorized to one or more of them. When the user logs in I would like to show him the repositories he has access to.
Is there any standard way to query the Resource Server/Authorization Server for the list of resources the user is entitled to access?
How does UMA 2.0 assumes a client will discover existing resources it is authorized to access?
I was also looking into this. According to the documentation I found you can list resources at the Resource Registration Endpoint (/resource_set):
Create a GET request to the UMA resource_set endpoint, including the
PAT bearer token in an Authorization header.
Request:
curl \
--header "Authorization: Bearer 515d6551-6512-5279-98b6-c0ef3f03a723" \
--header "Accept-API-Version: resource=1.0" \
https://openam.example.com:8443/openam/uma/realms/root/resource_set
Response (a list of ids):
{
"126615ba-b7fd-4660-b281-bae81aa45f7c0",
"3a2fe6d5-67c8-4a5a-83fb-09734f1dd5b10",
"8ed24623-fcb5-46b8-9a64-18ee1b9b7d5d0"
}
Some links about this topic:
https://backstage.forgerock.com/docs/am/7/uma-guide/managing-uma-resource-sets.html#to-list-uma-resource-sets
https://www.keycloak.org/docs/latest/authorization_services/#_service_protection_resources_api
https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html#list-rreg
https://docs.gravitee.io/am/current/am_devguide_protocols_uma2_overview.html#resource_registration_endpoint
Related
I am trying to setup a rest data source in APEX with the rest end point created in ORDS. The rest end points are secured with OAuth2- client credentials. In postman, I could get the access token from the OAuth end point using client id & secret and use it as bearer token in my API call without any issues.
However, I was not successful in setting the rest data source with OAuth2 authentication in APEX. Here are the steps i followed. (My APEX version is 22.1.4)
APEX:
Create Rest Data Source - from scratch
Rest Data Source Type -> Oracle Rest Data Source URL End Point:
https://myserverpath/ords/demo/leave/getLeave
Base Path:
https://myserverpath/ords/demo/ Service URL Path: leave/getLeave
Authentication Type: OAuth2 Client Credentials Flow OAuth Token URL:
https://myserverpath/ords/demo/oauth/token
Client id: redacted
Client Secret:redacted
Discover: gives error "Discovery error:
Oracle APEX cannot compute a data profile from the response data of
type: text/html."
Selected "Create Rest Resource Manually"
Created a IG on the RDS turned debug on while running the IG and debug message
below
Found token "ACCESS_TOKEN".
Access token still valid (expiry=2022-09-13 22:21:59)
begin_request
p_url=>https://myserverpath/ords/demo/leave/getLeave?limit=51,p_method=>GET,p_proxy_override=>,p_transfer_timeout=>,p_https_host=>,p_wallet_path=>
Loading instance wallet
set_header Proxy-Connection: Keep-Alive
set_header Content-Type:
application/vnd.oracle.resource+json;type=filter-form;charset=UTF-8
set_header User-Agent: Oracle APEX
set_header Authorization: ***
HTTP response 401 - Unauthorized
Curl Command that works:
curl --location --request GET
'https://myserverpath/ords/demo/leave/getLeave' --header
'Authorization: Bearer <bearer_token>'
Is there any step I am missing while setting up rest data source in APEX?
It looks like you're missing a space between
Bearer
and the token.
I'm in the context of an embedded devices that uses an HTTPS client to request an access token on behalf of a user (delegated permission needed for the app).
I'm currently using OAuth 2.0 ROPC (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc) to get my token and everything works fine.
But since this authentication is deprecated I'd like to change to a more secure solution that works in hybrid identity federation scenarios.
I see that many other solutions exists, but I can't find one that doesn't need to interpret an HTML/JS response.
Here a CURL example to explain my point:
ROPC request:
curl -X POST "https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token" --data "grant_type=password&scope=EWS.AccessAsUser.All&username=<username>&password=<password>&client_id=<client_id>&client_secret=<client_secret>" -H "Content-Type: application/x-www-form-urlencoded"
Response:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"eyJ0eX....1234"}
Here I can extract the token directly from the response.
But using other ways to get delegated permission token such as OAuth 2.0 Implicit Grant flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow), responses are always an HTML that I can't interpret.
So here I am wondering if there is a solution to this situation.
Thanks in advance,
Aloïs KYROU
You cannot use the implicit flow to obtain the token in the tool, you can only run the request url in the browser. Because using the implicit flow requires you to log in. Please note that before this, you must enable id token and access token.
Request the id token and access token in the browser.
https://login.microsoftonline.com/{tenant id}/oauth2/v2.0/authorize?
client_id={client id}
&response_type=id_token token
&redirect_uri={redirect_uri}
&scope=openid EWS.AccessAsUser.All
&response_mode=fragment
&state=12345
&nonce=678910
I've implemented application capable of acquiring OAuth access token through authorization process using authorization code grand type. I've used it successfully with Google API services but I have a problem when I use it with AutoDesk Forge API services. I have suspicion that OAuth AutoDesk does not confirm well with OAuth 2.0 specification.
My application issues this HTTP POST request of the shape:
POST /authentication/v1/gettoken HTTP/1.1
Host: developer.api.autodesk.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Here I send client_id and client_secret as username and password for Basic HTTP authorization. But I get an error:
{"developerMessage":"The required parameter(s) client_id,client_secret not present in the request","userMessage":"","errorCode":"AUTH-008","more info":"http://developer.api.autodesk.com/documentation/v1/errors/AUTH-008"}
However, OAuth specification says in chapter 2.3.1 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
You can see example of such request that server MUST support in chapter 4.2.3 (https://www.rfc-editor.org/rfc/rfc6749#section-4.1.3):
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
And AutoDesk wants it differently as per its documentation:
curl -v 'https://developer.api.autodesk.com/authentication/v1/gettoken'
-X 'POST'
-H 'Content-Type: application/x-www-form-urlencoded'
-d '
client_id=obQDn8P0GanGFQha4ngKKVWcxwyvFAGE&
client_secret=eUruM8HRyc7BAQ1e&
grant_type=authorization_code&
code=wroM1vFA4E-Aj241-quh_LVjm7UldawnNgYEHQ8I&
redirect_uri=http://sampleapp.com/oauth/callback
'
(Here, as you can see, AutoDesk expects client_id and client_secret to be in the POST request body.) That is additional way that server MAY support as written again in chapter 2.3.1 (https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1):
Alternatively, the authorization server MAY support including the
client credentials in the request-body
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
So, am I right that AutoDesk Forge API service only supports optional way and apparently doesn’t support mandatory way?
Affirmative - the only authentication format that's supported can be found here.
How do you get an access token from the wunderlist api using oauth?
The wunderlist documentation says:
Wunderlist redirects back to your site
If the user accepts your request, Wunderlist will redirect to your redirect_uri with a temporary code in a code parameter as well as the state you provided in the previous step in a state parameter. If the states don't match, the request has been created by a third party and the process should be aborted.
Exchange code for an access token:
POST https://www.wunderlist.com/oauth/access_token
I do not understand
Exchange code for an access token
am I supposed to redirect to https://www.wunderlist.com/oauth/access_token to get an access token?
Exchanging the code for an access_token is done by executing an HTTP POST message to the token endpoint, in your case to https://www.wunderlist.com/oauth/access_token, with JSON data as specified in: https://developer.wunderlist.com/documentation/concepts/authorization. Using cURL it would look like:
curl -H "Content-Type: application/json" -d '{ "code":"<CODE>", "client_id": "<CLIENT_ID>", "client_secret": "<CLIENT_SECRET>"}' https://www.wunderlist.com/oauth/access_token
I have tried this and that.
But requesting this:
https://api.twitter.com/1.1/statuses/user_timeline.json?user_id=monyetbego
keep giving me Bad Authentication data.
I don't know exactly how to get authenticated.
You need to register an application through Twitter's developer site. Once your application is approved you will be given a set of Oauth keys, which you can use within an API request to receive a response. Note that in API V1.1, you can no longer submit unauthenticated requests (i.e. send requests through a unauthenticated URL like the one you posted).
For example, once you have your authentication information, you can use curl to submit a show_timeline request (see your Application's OAuth tool on the Twitter Dev website for parameters specific to your authentication information):
curl --get 'https://api.twitter.com/1.1/user_timeline.json' --header 'Authorization: OAuth
oauth_consumer_key="XXXXXXXXXXXXXXXX", oauth_nonce="XXXXXXXXXXXXXXXXXXXXXXXX",
oauth_signature="XXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_signature_method="XXXX-XXXXX",
oauth_timestamp="XXXXXXXXXXX", oauth_token="XXXXXXXX-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_version="1.0"' --verbose