When we authenticate user using FusionAuth, we are getting JWT token as the output. How to get the opaque token rather than JWT?
If it can be done, will introspect use opaque token to validate the JWT token generated?
FusionAuth does not generate opaque access tokens.
You can treat them as opaque if you like, and then using the Introspect endpoint FusionAuth will validate the token and return you a JSON response.
Related
Does Azure AD issue opaque access tokens or only JWT tokens?
If yes how do you validate opaque access tokens in that case? because there is no introspection end point?
A JWT has readable content, as you can see for example on https://jwt.io/. Everyone can decode the token and read the information in it. The format is documented in RFC 7519.
An opaque token on the other hand has a format that is not intended to be read by you. Only the issuer knows the format.
Here's a quote from https://auth0.com/docs/tokens:
Opaque tokens: Tokens in a proprietary format that typically contain some identifier to information in a server’s persistent storage. To validate an opaque token, the recipient of the token needs to call the server that issued the token.
an opaque token is a simple string it is just a reference, hence, naturally, its format is entirely arbitrarily determined by the server that issues it (hence the term "proprietary format"). The token string is determined at the time of creation of the underlying (referred-to) content, i.e. when it is paired (associated) with the contents that this token (as the reference or foreign key) refers to
some JWT frameworks only the authentication token is a JWT, but as refresh token they use opaque tokens.
For more information refer this SO thread
We have an OAuth server that uses doorkeeper. We want to start using doorkeeper JWT, but we can't turn it on for all OAuth clients yet as some are out of our control and we are pretty sure they are storing the access tokens their apps receive in a varchar(255) column which won't work if we start to hand out JWT tokens for all apps. Also, we don't really want to be storing the whole JWT in our database either if we can avoid it.
Our idea is to have doorkeeper generate an opaque access token for all apps first, and store that in the db. Then before returning the opaque access token to the app, we check to see if the app has JWT tokens turned on and if so convert the opaque access token to a JWT access token using the opaque access token as the JWT's jti claim. We are thinking of utilizing the before_successful_strategy_response callback to convert to a JWT using the gem 'doorkeeper-jwt' if the app has JWT access tokens enabled.
Then, when we get a request which has an access token, check to see if the access token is a JWT access token and if so read the jti claim out of it and use that to load the access token from the DB. We don't have a good place to hook into this at the moment. Right now we are thinking of monkey patching Doorkeeper::Oauth::Token in the from_request method to check to see if the token is a JWT before returning it, and if so, return the JWTs jti instead.
Does that seem like a reasonable approach? Is there another way without monkey patching Doorkeeper::Oauth::Token?
More recent versions of doorkeeper allow you to configure the access token model class as seen here:
https://github.com/doorkeeper-gem/doorkeeper/blob/55488ccd9910e0c45ed4342617da8e026f4f55b5/lib/doorkeeper/oauth/token.rb#L17
So we can hook into the access token lookup there without resorting to monkey patching.
I need to understand why refresh token issued by AAD is not in JWT format( i used Auth Code grant type for generation of refresh token). It looks something like as follows 0.ATYAoWHs1YRqUk-OAYpDkwKjaYAEJhrbDpBNmWw7q0NZVas2APk....(rest of the token).
Also if we can get this refresh token in JWT format then how can we do that.
Thanks
Abhishek
It isn't in JWT format because it does not need to be.
A refresh token is data that you send to the identity provider to get new access tokens.
It should not have any other meaning for your application.
Store it securely and send it to AAD when you need new tokens.
Then take the new refresh token you get in the response and overwrite your previous refresh token with that.
The OAuth 2 RFC also talks about it https://www.rfc-editor.org/rfc/rfc6749#page-10:
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
I am using Forgerock as my identity provider and am looking for something in their rest api where i can provide an access token in the form of a Authorisation Bearer Token and get the corresponding JWT token to use as a Authorisation Bearer Token in a subsequent rest api call.
Can someone help me with what endpoint I can call in Forgerock to do this? I've had a look at the userinfo endpoint, that seems to return what is in the id_token in json format, but I want the actual id_token. A "token exchange".
thanks
There is no endpoint defined by specifications to obtain and ID token for an access token. Specificaitons define about token intrsopection endpoint (RFC7662) and user info endpoint (which you have already figured out).
Other than these, best option is to obtain ID Token from token response itself. For this you need to follow OpenID Connect request format, which include scope value openid. For this, you will require end use consent (most of the time) which allows authorization server to share their claims through id token.
Google Doc says that you can specify response_type for gapi?.auth.authorize
You can use it to get id_token
How to configure postman when you already have a token/bearer key at hand?
Was hoping it would be somewhat similar with seting up an OAuth2.0 authentication with SoapUI that you can just input the bearer/token key.
If you have an access token, you can configure POSTman by setting up a custom Authorization header. Setup:
Authorization: Bearer <accessToken>
And if the API you are accessing supports bearer tokens, and you are providing a valid access token, then it should work.