set url to refresh token JWT in grails using spring security rest - grails

I´m using spring security rest. Actually to refresh token im using this url: /oauth/access_token?grant_type=refresh_token&refresh_token=token
However i'm using api rest and I want to use /api/oauth to refresh token instead of /oauth.
I tried redirect in urlMappings, but response 404 not found.
"/api/oauth"(redirect: '/oauth')

"/api/oauth"(redirect: '/oauth')
As you found, that mapping won't work but there may not be a good reason to use a redirect anyway. The plugin provides a mapping like this:
"/oauth/access_token"(controller: 'restOauth', action: 'accessToken')
(see https://github.com/alvarosanchez/grails-spring-security-rest/blob/d5940921b4aea466a961957e0599321d01e4c6de/spring-security-rest/grails-app/controllers/grails/plugin/springsecurity/rest/RestOauthUrlMappings.groovy#L24)
You can map whatever url you like to that controller. You could do this...
"/api/oauth"(controller: 'restOauth', action: 'accessToken')

*** Work for me grails spring refresh token
-method : Post
-http://localhost:8085/oauth/access_token?grant_type=refresh_token&refresh_token={your_access_token}

Related

OAuth2 token returned from Office 365 doesn't contain a preffered_username claim

I followed this tutorial and have gotten to the point where I am decoding the returned token, and extracting the email address (which should be stored in the preferred_username property), ie, the following code:
decoded_token = Base64.urlsafe_decode64(encoded_token)
jwt = JSON.parse(decoded_token)
email = jwt['preferred_username']
The problem is that the object returned doesn't contain this property, what I do get back is similar to below:
{
"ver":"2.0",
"iss":"https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0",
"aud":"0ab6433e-84fc-469b-8c72-41f7a0241a61",
"exp":1458142389,
"iat":1458055989,
"at_hash":"0OYaLKpTTdHNBrQNOqwQ0Q",
"sub":"AAAAAAAAAAAAAAAAAAAAAC1TrOaOmvInYrFAyrQjlFI",
"tid":"9188040d-6c67-4c5b-b112-36a304b66dad"
}
A quick glance at the spec indicates I am getting the correct object back from Office 365, as preferred_username is mentioned as a potential claim, but it isn't in the object I get back.
It's possible I'm not calling the get_token function with the correct parameters, but the documentation for the library is pretty sparse, so I can't really tell.
I have raised an issue on Github.
Is this an error on the Office 365 end, an error with the tutorial, or am I doing something wrong myself?
Answered here by Jason Johnston from Microsoft (author of the tutorial):
The Azure team deployed a breaking change to their v2 auth endpoint, which is causing the preferred_username to not be present. You need to add profile to the SCOPES array in auth_helper.rb. I'll post an update to the tutorial after the Build conference.
The SCOPES array in auth_helper.rb now looks like so:
SCOPES = [ 'openid', 'https://outlook.office.com/mail.read', 'profile' ]
I am try to reproduce this issue using normal HTTP request however I could get the preferred_username property successfully.
As far as I know, we can get this property only when we specific the openid scope in the request. To narrow down this issue, I suggest that you trying use Fiddler or Postman without Ruby.
Here is the test using web browser and Fiddler to get the id token for your reference:
Register the app in the portal using Office 365 account( which you can refer to the tutorial)
Get the auth code in a web broswer via the link below:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={ClientID}&response_type=code&redirect_uri={RedirectURL}&response_mode=query&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20openid&state=12345
Replace the auth code from preview request and using Fiddler to post the request to get the tokens:
POST: https://login.microsoftonline.com/common/oauth2/v2.0/token
grant_type=authorization_code&client_id={ClientID}&scope=https%3A%2F%2Foutlook.office.com%2Fmail.read%20https%3A%2F%2Foutlook.office.com%2Fmail.send%20openid&redirect_uri=http%3A%2F%2Flocalhost%3A55065%2F&client_secret={ClientSecret}&code={AuthCode}
Decode the ID token from the link below:
https://jwt.io/
Then I could get the preferred_username property from the ID token successfully.

Spring Security OAuth2 with Reddit - how to set "duration"

I am currently using Spring Security OAuth2 with Reddit - and trying to pass the duration parameter when redirecting the user to an authorization URL.
This URL is constructed via getRedirectForAuthorization - which is a private method in AuthorizationCodeAccessTokenProvider - so it's not immediately clear how the duration parameter should be added in.
Am I missing anything?
Thanks.
You can add query parameters to the authorization request using a RequestEnhancer. You can inject one into the AccessTokenProvider and the DefaultRequestEnhancer includes a list of parameters to include (empty by default).

tornado oauth queries (twitter)

I am using tornado framework to use the Twitter API. I am not understanding why I am getting a callback url with the value of next in it
auth/login?next=%2F%3Foauth_token%3D
I understand that /auth/login is setup by me during AuthLoginHandler. But I am not understanding what is setting next token inside the url. This makes my other argument
self.get_argument('oauth_token', None)
return None.
I know that we can still parse the url the get the oauth_token, but any insights into how TwitterMixin or default Oauth class of tornado is doing this. I am a newbie to Tornado
Firstly, You can ignore the 'next' argument until you get your core code working.
'next' is an extra parameter so you can forward the user to to the original page you asked for like this:
self.redirect(self.get_argument('next', '/'))
The 'next' param is added in the request handler here after a call to get_current_user has returned None. [ie user is not logged in]
The Tornado docs describe how to write a handler for Twitter.

How to do Soundcloud Auth Dance in JS with a Redirect_URL that has GET Params

** I am currently implementing fancy URLs to see if these 'solves' this. eg /me/soundcloudconnect rather than index.php?c=me&a=soundcloudconnect via mod_rewrite **
I have been using the Soundcloud JS SDK and SC.Connect() etc function(s) which automates much of the Auth process. I have been using a Normal html file: sc.html which worked fine and allowed me to get /me/ and /me/tracks etc.
However I now realise? that I will need to perform Auth myself as I need to add a State variable as documented below, so that it prepends these params to the end of the Redirect_URI.
http://groups.google.com/group/soundcloudapi/browse_thread/thread/7bddbc296f3b80af
The URL that I am trying to redirect back to is:
index.php?c=me&a=soundcloudconnect
which is the 'me' controller and 'soundcloudconnect' action.
So could someone please point me in the right direction?
Either I want to be able to use SC.Connect() etc (but also be able to get and save Token) as well as redirect back to the URI above
Or, I need to do the same thing (Auth and store token) but not using SC.Connect() but normal JS instead.
I read that Soundcloud Developer support is via Stackoverflow - so hopefully someone can help?
The normal HTML file with working SC Auth:
http://socialartist.co/sc.html
The dynamic page which does not work with SC Auth:
http://socialartist.co/index.php?c=me&a=soundcloudconnect#
The issue is probably that those query parameters are interfering with the original url. E.g. http://www.soundcloud.com/register/?token=blagha23412&redirect_uri=http://anydomain.com/index.php?c=me&a=soundcloudconnect
How would SoundCloud distinguish between your parameters and its parameters? You might be able to wrap the redirect_uri value in quotes.
An alternative might be to use the path as your parameters. E.g. http://anydomain.com/index.php/me/soundcloudconnect and then you should be able to grab whatever you need out of the path on your server.
** SOLVED!! **
If you need to pass parameters to SC connect/auth then the only way to do this is to setup fancy urls via mod_rewrite.
There 'seems' to be another method here, but you need to be doing the Auth in 2 steps and not via SC.Connect.
http://groups.google.com/group/soundcloudapi/browse_thread/thread/7bddbc296f3b80af
I was trying to get URL_redirect to work with:
index.php?c=me&a=soundcloudconnect
But in the End just used Fancy URLs which worked
http://socialartist.co/me/soundcloudconnect

Determine the url (or controller and action names) of a request which is unauthorized with Shiro Grails plugin

I would like to be able to log the requests that my app receives that are unauthorized. Because the Shiro plugin uses an HTTP redirect to send the user to auth/unauthorized the request object is a fresh one and I can't get the original URL; controller/action name; or request parameters from it.
Is there a way to determine either the original url, or the controller and action names (and request params if possible) inside the AuthController unauthorized action?
I am looking at http://plugins.grails.org/grails-shiro/tags/RELEASE_1_1_3/ShiroGrailsPlugin.groovy as a reference of the plugin source.
Details:
Grails 1.3.7
Shiro Grails plugin 1.1.3
I had the same problem... my solution is not perfect:
a browser sends the so called referer in one of the headers which you can get through
request?.getHeader('Referer')
But the referer is nothing you really can rely on -- but most of the browsers send it.
Another solution could be the filter: try to write the current url to another variable before you call accessControl() in ShiroSecurityFilters.groovy. You can get the current URL through request.forwardURI.
Update: just verified my last assumption - this seems the cleanest solution to me:
In ShiroSecurityFilters.groovy, replace
// Access control by convention.
accessControl()
with
// Access control by convention.
if (!accessControl()) {
session.deniedUrl = request.forwardURI
return false
}
which enables you to access the url as session.deniedUrl in your auth/unauthorized controller.

Resources