Oauth token and creds - oauth

One of the enterprise integration tools i am working with has a salesforce connector. But the connector has oathtoken, username and password all these 3 fields as required fields. My understanding was that, with an oauth token a uname pwd combination is not reauired. I was able to make the calls required to salesforce using this oauth token via postman. Any idea why this tool is requiring all three fields? The tool in question is workday studio.

You're right, username or password shouldn't be needed for OAuth flow. I know nothing about Workday but are you sure it's OAuth token it wants?
It sounds like your tool is using old-school SOAP API. This works with username, password and optional security token. You can generate it in setup and it'll come in an email message. There are situations when you don't need it (for example logging in from trusted IP) but if it's a required field... Stupid Workday rule, try to generate it anyway? Read more https://help.salesforce.com/articleView?id=user_security_token.htm&r=https%3A%2F%2Fwww.google.com%2F&type=5
So yeah, I'd try with that. And then check what do you see in Setup -> Login History in Salesforce? It should say whether it's SOAP or REST API, OAuth or not... My gut feel is it'll say SOAP. If it'd be OAuth it'd either not ask for password at all (just show you "allow access" screen) or ask for few more things (client id, secret)... There are many OAUth flows possible with Salesforce, https://help.salesforce.com/articleView?id=remoteaccess_authenticate_overview.htm
P.S. Welcome to StackOverflow. No idea who downwoted you without leaving any comment, I gave you +1.

Related

oAuth Server to Server grant flow

I have implemented an OAuth 2.0 server-to-server authentication for a web application I am developing.
Both services are internal to my company, so I send a request from server A to server B containing the username, password, client_id and client_secret then I receive an access_token in response.
After that, I can send a second request from A to B containing the access_token in the header to pull some data.
The data retrieved from server B to server A is finally passed to the view in server A and shown to the end-user.
Therefore I never ask for any inputs to the end-user, because I am using the above "service account" to pull the data that I need. The end-users do not even know anything about such a connection in the background.
Having that said, I am now getting mad to explain to my colleagues that this is a secure approach.
I was wondering if somebody has any official documentation or best practices to share with me that can help to justify to the IT vertical that this approach is correct. I have been told that the basic auth method is not allowed in the company, but this is not really basic auth, isn't it?!
I cannot even find the right name for this, somebody refers to this method as password grant flow, somebody else as two-legged OAuth. The fact is, in my case all interaction happens server-server without any inputs needed from the end users.
Any help is much appreciated!
RESOURCE OWNER PASSWORD GRANT
You are using this flow between Server A and Server B, which is not recommended because OAuth applications should not have access to the the end user's password. It is more standard to use the Client Credentials Flow for Server to Server calls.
OAUTH TOKEN ISSUER
Another aspect that is non standard is that Server B should not issue its own tokens. It is more standard to use an off the shelf Authorization Server (AS) to deal with OAuth messages and token issuing. The AS is the only party that sees credentials - your UIs and APIs only ever use tokens, which have a short expiry compared to credentials.

Several question on Oauth2 on ADFS Server 2016

I'm used to working with ADFS for a long time already and recenlty I was asked to do a proof of concept with Oauth2 on ADFS. Struggling through terminology I managed to set most things up, but still I do have some unanswered questions. Hope someone can shed some light on these...
For SAML / WS-Fed relying parties, it is possible to set custom web content, using Set-AdfsRelyingPartyWebContent. Is this also possible for web api relying parties created in an application group?
Would it be possible to add claims to a client authenticated with client_id / client_secret (server application in ADFS terms) when using the client credentials grant flow?
Even after setting the 'IssueOAuthRefreshTokensTo' 'AllDevices' on the web api application, I still don't receive refresh tokens. What am I missing here?
When posting a token issued by our ADFS on e.g. jwt.io I receive an 'signature validation' error. How can we resolve that?
We would like to set an audience for the access tokens, so applications can use the audience instead of using the appid to verify if they can consume the token. Can we modify the audience?
What does add-adfsclient do? Does it create a client_id, which can then be linked to a relying party (with Grant-AdfsApplicationPermission), thus enabling OAuth2 for an existing relying party?
When configuring a ad user principal for a server application and use 'password' as grant_type with the client credentials grant flow, I cannot seem to find the correct syntax, as ADFS always give the error 'MSIS9622: Client authentication failed. Please verify the credential provided for client authentication is valid.'. I have used the syntax 'user#fqdn' for the username.
Thanks you for helping me out here!
Let me try and work through these.
In ADFS, OIDC applications and WS-Fed / SAML RP are completely different. You can't mix and match.
jwt.io has a signature error because it doesn't know the .well-known endpoint to get the key. Refer this.
To get extra claims you need to add an API as that is the only place for claims rules.
To get a refresh token, you need a scope of "offline_access".
For resource owner password, user name and password are separate fields. Refer here.
Feel free to ask more questions. Just expand your question.
Also, samples here. Look at the menu on the LHS.
Update
What do you mean by "can modify web content on a per relying party basis"?
Re. jwt.io, read this.
For refresh tokens, read this. It seems ADFS doesn't follow the spec here.

How to restrict OAuth2 Credentials Grant Type flow using Doorkeeper

I'm using Doorkeeper to handle OAuth2 authorization in my web application.
Since I am the owner of the web application I should be able to use the Password Credentials grant type using only a client_id and the user credentials.
I am wondering if there is a way to white list the applications that are allowed to use this flow?
My concern is that if there is no way do whitelist them, what could stop a evil user to gather my users credentials? He could take my client_id token and use it to build its own authentication interface. He would basically just ask for user credentials and send a token request to my OAuth2 provider on my behalf, using my client_id token.
Am I missing something here?
Your concern is legit and you are absolutely right. Doorkeeper does not require client credentials on password grant, see why here.
As I was doing some research on the subject, I stumble upon these anwser :
https://github.com/doorkeeper-gem/doorkeeper/issues/561#issuecomment-73836639
How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type
One solution suggested in the first link is : don't use password grant.
Another one is : you can implement a custom client authentication on top of doorkeeper's resource owner password credentials grant.
I know I didn't offer my own help and copy paste some refs, but as I was also searching for an answer, I see no reason to let you without one. I know this question is old, but it's still unanswered. Hope that still helps some people.

Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?

Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.

Getting started with OAuth

I wanted to build a simple WP7 app to learn how to use Silverlight, so I thought I'd create a very simple yammer app. As a starter it would have two screens - Login (Username & Password) and Feed.
Yammer user OAuth for its authentication but I just dont get it! i appreciate you need to request a token to use the REST interfaces, but I dont want my users (even if its just me) to need anything other than their login credentials, as they would use on the website. In my head the token can be used in a similar manner as a forms auth token in asp.net
Am I missing something? But I cant see anything in the yammer documentation about logging in.
The process for OAuth is as follows
You do a token request to Yammer. If needed they will ask for yammer credentials and send a token back to a URL of your application
You must use that token to sign all your petitions.
You can't stop Yammer asking for credentials because that's the idea of OAuth. Yammer does not trust you and it's impossible for you to keep any user Yammer's credentials. That way they can't be stolen from your site. The more you can store is a temporal token.
There is a very good guide to using OAuth on hueniverse, which features an example workflow. It's not completely up to date with the latest version of the spec, although this probably doesn't matter too much for your purposes.

Resources