I have an API that's protected by Auth0.
I want my users to have CLI access to this API as well. I was considering using the one-time password flow initially when the developer signs in to the CLI to request a refresh token, and then persist this on the disk for future use.
But this just feels wrong. Is there any other more secure approach?
The CLI might be used on build servers etc, so I guess it has to be a permanent token that lasts forever.
While we're at it, what do other APIs do, for instance GitHub when I request a Personal Access Token? Is that the same?
Did you check this? https://auth0.com/docs/flows/guides/device-auth/call-api-device-auth.
By using this flow on a CLI the user will login interactively through a browser and then will enter a code in the CLI. This will give you back an access token and a refresh token. You could use the refresh token in your CI process to obtain new tokens on every build (or whenever the AT expired).
Related
I have a back-end processor, (imagine a chron job once a day generating reports), that needs to integrate with a third-party system. Their APIs only support the "Authorization code" grant type. The problem is I can't even fill out a request for a token as I don't have a redirect_uri (no website), and I definitely don't have a user of any kind. I'll just have the OAuth clientId and secret I provisioned via their developer portal, (Mashery), for my back-end report processor app.
I want to use the "Client credentials" grant type/flow since I'm just a back-end service.
Is there any way to fake this or hack it so my little back-end service can somehow work with authorization code flow?
Thanks in advance
No, there is no way to hack it. Client credentials only authenticate the client. A token issued for client credentials have no information about the user. If their API needs information about the user (you probably get information only about your user), then you need to have a token issued with Code Flow.
What you can do is to generate the OAuth token yourself. E.g. you can use oauth.tools to perform a Code Flow with their Authorization Server, or you can perform the flow from browser with a dummy redirect URI (e.g. http://localhost), the get the code returned from authorization request and perform a token request from curl.
Once you have an access and refresh token you can hard code them in your script (or read them from an env variable or file, etc). You can then call the API as long as the access token is valid, and use refresh token to get a new access token when it expires. You will not have to perform a new Code Flow for as long as the refresh token is valid.
I'm working on a web application that will be installed on-prem behind Azure App Proxy. I can authenticate with OAuth and access the app successfully, but the authentication token is only good for an hour, after which my application is kind of dead because none of its API calls make it through the proxy.
So I'd like a way to keep that access alive so that users don't have to re-authenticate every hour.
I know that there's a flow for exchanging a refresh token for a new access token, and I can do that. But it seems like the ability to pass through the proxy is not governed directly by that token, but by a cookie called AzureAppProxyAccessCookie. Since I don't know how to convert my refreshed access token to a valid cookie value, this doesn't seem to solve my problem.
Note that I don't manage the proxy, so just increasing the expiration time on the token issued by Azure isn't an option.
So is there a way to refresh the AzureAppProxyAccessCookie token, or otherwise keep the session alive without making the user re-authenticate?
You can define a token life time policy with a longer token lifetime and assign it to your application.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes#access-id-and-saml2-token-lifetime-policy-properties
https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes#create-a-policy-for-web-sign-in
We've got a team Slack app and some slash commands configured with them. The slash commands are sending requests to a express REST endpoint which uses passport-slack as authentication.
I want that the requests generated by the slash commands to include the access token for the user since it's already logged in to Slack, but not just the verification token
Any idea on how to achieve this?
I would not recommend this, since it would breach Slack's security architecture and should also be unnecessary if your app is designed according to Slack's standards.
Your app only needs to retrieve and store the user token once during the installation process and can then use it for all future API calls indefinitely, since it does not have an expiry date. They also do not need to be refreshed.
Usually you would install a Slack app only once per Slack team and use that token for all future API calls. This is done using the OAauth 2.0 protocol, which ensured the token is generated in a secure way.
But if you really want the user token from every user, you can ask every user to install your Slack app. Its call "configurations" and that way you get all user tokens. But again, you only need to do that once and you should do it with the Oauth process.
I am using Authorisation Code Flow in my web application. I would like to get a refresh token for the web app itself but also an offline token that I will save in the database so I can use it later on for an offline task.
However I am struggling with that. I cannot use grant-type password because I don’t want to ask the user again to enter his/her credentials and also authorisation code is only one-time use so I cannot integrate it with the current flow.
Is there any other way to generate an offline token from a different token? I have tried using grant type refresh-token with scope offline_access but that didn’t work.
After keep working with Keycloak for several months, the answer is simple: it is not possible.
Offline token is effectively a refresh token with no expiration time so you can get one or the other but never both as part of the same request/response.
From a user point of view, we created a new page to request this token using password grant-type and offline scope. User need to re-enter his password but it seems ok from a security point of view. This approach works for us given the requirements to get this token as it is an unusual task.
You can also generate offline tokens using service account, check keycloak documentation on service account.
Following discussion will help you to understand different scenarios generating and using offline tokens
I am creating a headless service that I intend to use to access a third party API. To do this, I need to authorize myself with this third party API using a google access token. since I want this service to run in a headless fasion (i.e. no user input), I created a special account with Google and now I want to get the access token and google id using OAuth - the caveat is that this is a headless service, so I need to do this without the 'user' entering their username / password.
how do I do this?
Regarding your comment, you can get a refresh token through the web flow. Refresh tokens never expire (although the user can revoke them) and can be used to obtain access tokens as often as needed. See https://developers.google.com/accounts/docs/OAuth2WebServer for more info.