Is it possible to get refresh_token from JWT requests that sends to "/oauth2/v4/token" path ?
{
"access_token" : "1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M",
"token_type" : "Bearer",
"expires_in" : 3600
}
The response doesn't contain refresh token key.
ref link : https://developers.google.com/identity/protocols/OAuth2ServiceAccount
Service accounts dont return refresh tokens. there is no need for a refresh token with a service account. The service account itself can be used to request a new access token whenever you need one.
Oauth2
With normal oauth2 you use a client id and a secret to request permission to access data from the resource owner (user) If the user grants you access you get an access token and possibly a refresh token returned (if you requested offline access). This refresh token is based upon the user and the client that created it. Everytime you use the refresh token it will return an access token giving you access to the user owned by the user who granted you access.
service account
A service account is a user. It has access to some data already set up. anytime you use it to create an access token it would always return the same access. Its not user specific like oauth2 would be.
Related
Currently I am using /token endpoint to obtain an access token, an ID token (by including the openid+offline_access scope), and a refresh token for the Authorization Code flow. The value for code is the authorization code that I receive in the response from the request to the /authorize endpoint.
Also to refresh access token as well as an ID token, I am sending a token request with a grant_type of refresh_token.
Below is the reference link, I am trying similar to implement in my custom OIDC application.
https://developer.okta.com/docs/guides/refresh-tokens/main/#renew-access-and-id-tokens-with-spas
Does it suppose to return both refresh_token and id_token OR both are optional if grant_type=refresh_token (also in token endpoint openid+offline_access scope added) in OpenID Connect concept?
Below is the link I am trying to understand.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens
When you use the refresh token, the purpose is to get a new access token. Optionally, depending on the backend configuration, you might get a new refresh token as well (if you use a one-time refresh token setup).
You never get a new ID-token back, the ID token is usually a very short-lived token (like 5 minutes) and its main purpose is to describe how the user is authenticated and who it is. The main purpose of the ID token is to create the local session (typically a session cookie), after that the ID token has no real use.
My skill requires Account Linking which will authenticate customers with an AWS cognito user pool through OAuth 2.0 Protocol.
I can specify in the user pool the TTL of the refresh token, which I decided to have it valid for 60 days.
From what I understand, alexa sends you the access token along with each request that your skill receives so you can identify customers using the skill. If their access token expires alexa would handle this by refreshing their token before forwarding the request with the access token to you. So you can have a valid access token.
Now, what happens when the refresh token expires? and does it expire after 60 days even if the customer is using the skill on daily basis? I guess what I'm asking is:
When the access token expires and alexa refreshes it. Does the refresh token also get refreshed?
If yes, how do we keep the customer signed in and their account linked when the refresh token expires after 60 days?
I think you can find the answers in the documentation.
Verify that the token is valid
If the accessToken exists, verify that it identifies a user in your resource server. The token could become invalid for multiple reasons, for example:
The user deleted or canceled their account with your service. For example, an Alexa user might have set up account linking with Ride Hailer, then later canceled their Ride Hailer account. At this point, the token stored by the Alexa service would identify a non-existent user.
The token has expired, and the Alexa service was unable to obtain a new token. This can occur with an authorization code grant if your authorization server does not provide refresh tokens. This can also occur if you use an implicit grant, which does not support refresh tokens.
If the token is valid, handle the request normally. You can use the token to access data from your resource server as needed. In the Ride Hailer example, the skill would retrieve profile and payment information for the user from the Ride Hailer service, order a car, and return a confirmation to the user. See Return a Response for details.
In OAuth2 protocol, Client (RP in terms of OIDC) application obtains an access token, which enables it to use different services (Resource server role) on behalf of a Resource Owner.
On the other hand, in the OpenID Connect protocol, Client obtains 2 tokens (access and id token). Now this Client can use the access token to fetch user claims from the UserInfo endpoint.
Does OP (Authorization server) play role of a Resource Server here (in terms of OAuth2), and Client fetches user data on behalf of a user?
How is ID token used by the Client? Does Client pass this ID token to the Resource Owner's user agent (Browser) and then, user agent stores this token to enable SSO (cookie)?
Does Client (e.g. different one than the one that obtained the ID token) has to verify the token every time user accesses it (call OP to verify it), or Client does this only first time it gets accessed by this token and then creates security context which enables it to eliminate this request for verification at OP every time? In this case, how could this security context be implemented?
What is the access token used for, except for fetching user claims and why is it sent along with ID token, when Client could use ID token to access UserInfo endoint?
First of all you must understand the purpose of tokens. Access token is a token that is good enough to access a protected resource on behalf of the end user. It is defined by OAuth 2.0 authorization framework. Now having an access token does not authenticate the end user. it simply authorize the client application to access a resource. OpenID Connect introduce the ID Token. Now this token is to be consumed by your client application. Protocol define how this to be done and if valid, your client application can authenticate the end user.
Q: Does OP (Authorization server) play role of a Resource Server here (in terms of OAuth2), and Client fetches user data on behalf of a user?
Partially correct. According to the protocol document, userinfo endpoint acts as OAuth 2.0 protected resource.
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication.
Q: How is ID token used by the Client? Does Client pass this ID token to the Resource Owner's user agent (Browser) and then, user agent stores this token to enable SSO (cookie)?
As mentioned previously client must validate the id token and based on that it can authenticate the end user. ID token is not connected with SSO.
Q:Does Client (e.g. different one than the one that obtained the ID token) has to verify the token every time user accesses it (call OP to verify it), or Client does this only first time it gets accessed by this token and then creates security context which enables it to eliminate this request for verification at OP every time? In this case, how could this security context be implemented?
If you are using ID token to be consumed from a protected endpoint, then token receiving party should validate it before accepting it. One may choose to create a session after a proper token validation (session must not extend the life time of the token).
Q: What is the access token used for, except for fetching user claims and why is it sent along with access token, when Client could use ID token to access UserInfo endoint?
Access token is the token your should use to access OAuth 2.0 protected resources. Once the endpoint received it, endpoint can validate the access token against token introspection endpoint exposed by the authorization server (Protocol definition of introspection). And with Openid Connect, defining of userinfo endpoint let any party with valid id token to consume it.
I don't see how you can be confused about that if you've read the RFCs.
You want to think of identity as a "resource" service? fine, but the authentication for this service is different than for RPs, so what's your point?
The Client exists in the User Agent (we're talking about SPAs, right?). If the ID token is in the Client, then it's in the UA (the reverse is not true). If you're thinking of server-side clients, then there is no need to forward the ID token to the UA, unless you want the UA to pass it on to another Client (e.g. for SSO). There are SSO schemes that use the ID token for convenience, but that's not the stated purpose of the ID token.
The whole point of JWS is that you don't need to call the OP to verify a token. You just verify the signature. That may be done by any Client, whether they're the original recipient of a token, or they get it later. Furthermore, the ID token is not meant to authenticate the user. Using it for SSO requires some other form of security, such as storing a related secret in an HTTP-only cookie that will not be seen by the Client. Anyway, even if you use the ID token for SSO, then the ID token is sent only in the login request. After that, the Client will get its own access token for authentication and will not use the ID token again.
The access token is typically short-lived (which means the Client has to contact the OP regularly, which allows the OP a chance to revoke access). The access token is sent with every authenticated request, so it should be small (i.e. not contain user information that is not useful for authentication).
Basically my goal is to make a form that allows every visitor of my website to upload a video in the comment section to my OWN channel. Currently I'm using YouTube OAuth version 3 API for it. The problem is every 3600 seconds, the code from YouTube will be expired and we will be redirected to Google OAuth that asks for permission (Example: https://accounts.google.com/o/oauth2/auth?client_id=805j8tubb260venakqj8jq3f6hl9eluu.apps.googleusercontent.com). And we need to manually click the 'allow' button every time the button expires.
So is it possible to allow access once, and then we dont need to take the code again to give the upload permission to the website visitor?
You should follow KENdi's instructions on how to get the token -- he pretty much pulled it straight from the docs. But, you should only have to do that once. The trick is to save the refresh_token somewhere, and then use that to get a new access token before you want to upload a video. Here's my quick and dirty NodeJS solution:
function getAccessToken () {
const options = {
method: 'POST',
uri: 'https://accounts.google.com/o/oauth2/token',
form: {
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
refresh_token: 'YOUR_REFRESH_TOKEN',
grant_type: 'refresh_token'
}
}
return request(options)
.then(body => JSON.parse(body));
}
getAccessToken.then((token) => uploadSomeYoutubeVideo());
Try to check if you follow the steps/process here in this documentation.
1. Register your application as an installed application
2. Request an access token
3. User consent decision
In this step, the user decides whether to grant your application the ability to make API requests that are authorized as the user. Google's authorization server displays the name of your application and the Google API services that it is requesting permission to access with the user's authorization credentials. The user can then consent or refuse to grant access to your application.
4. Handle response from Google
5. Exchange authorization code for refresh and access tokens
6. Process response and store tokens
Here, Google will respond to your POST request by returning a JSON object that contains a short-lived access token and a refresh token.
{
"access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
"token_type" : "Bearer",
"expires_in" : 3600,
"refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
}
NOte: Your application should store both values in a secure,
long-lived location that is accessible between different invocations
of your application. The refresh token enables your application to
obtain a new access token if the one that you have expires. As such,
if your application loses the refresh token, the user will need to
repeat the OAuth 2.0 consent flow so that your application can obtain
a new refresh token.
Access tokens periodically expire, so it need to be refreshed. When an access token expires, your application may be able to use a refresh token to obtain a new, valid access token. Server-side web applications, installed applications, and devices all obtain refresh tokens during the authorization process.
Note that tokens might stop, no longer work or
expire
if:
The user has revoked access.
The token has not been used for six months.
The user account has exceeded a certain number of token requests.
I am using client credentials flow using Spring OAuth2. The DefaultAuthenticationKeyGenerator stores the access_token in memory for me. However if I run multiple client instances from different hosts and make the /oauth/token client_credentials grant request, I get the SAME access token. So all client instances with the same (client id and client secret) get the same access token. So I must be misunderstanding something fundamentally. Is there a way to have each instance of my client receive its own unique client credentials flow access token with it's own expiration period ? The reason I want this is so I can authenticate the client itself before a user account has been created. After the user account is created I can use the user resource password grant flow to get a user specific access_token.