Once the ApplicationOAuthProvider has validated the user login (in the GrantResourceOwnerCredentials), how can I get the access token generated by the provider?
I'm trying to get the access token in order to save it (associated to the user) to avoid concurrents login.
Thanks!
I figure out some workaround for this.
It's possible to define a custom AccessTokenProvider in your Startup.Auth.cs class.
Then you can get the bearer access token from your custom access token provider as simple as
var token = context.SerializeTicket();
context.SetToken(token);
Cheeers!
Related
Given that I have an access token generated using password grant type from the auth server. Is it proper to store the userId inside the token so that when the resource server decrypts the token, it'll use the userId when querying to its own database to get, for example, all posts made by the user?
Short answer : yes it is valid to have a self contained access token. Typically this will come in form of a JWT. If this is the case, you can extract JWT's sub claim (sub) to get end user identifier.
On the other hand, if you have a opaque access token, you can introspect the token from token introspection endpoint of identity server. The response can have the optional subject (sub claim) which is the identity of end user.
Once you obtain user identifier either of way, it's up to your application to use it.
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
Whats the best way to programmatically authenticate user using OAuth 2.0 Authentication Code Grant ?
Wondering if there is a way to combine step A and B as stated on the spec - https://www.rfc-editor.org/rfc/rfc6749#section-4.1, i.e pass user ID and password as part of authorize call ? Something like,
/authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&user_id=john.doe#mail&password=xxxx
I believe one way is to submit() the form returned by the Authorization server with user id and password. Taking this route would create a dependency on the form and any changes to it given it is not a public API.
The Authorization Code grant is designed to be used with a full browser i.e. should not be used to authenticate the user programmatically. In fact using it programmatically would defeat the purpose of OAuth 2.0 to not divulge the user's credentials to the Client.
Grants like Client Credentials and Resource Owner Password Credentials have been designed to be used with non-browser Clients.
Alternatively you could create an access_token and refresh_token for your Client in a browser using the Authorization Code grant, then pass the tokens to your non-browser Client so that it can use the refresh_token on its own to obtain a new access token when the old one expires.
I have created a service, without user interaction, to access my API. The Api needs to know the user. Therefore I need the resource-owner flow.
For accessing my Api I need an access_token with the correct scope "MyApiScope".
I can obtain an access_token with the resource-owner flow specifying scope="MyApiScope". But I won't get a refresh token in this way.
I can obtain a refresh_token with the resource-owner flow specifying scope="offline_access". But the access_tokens generated with this refresh token can't be used to access my Api because they do not contain the right scope, "offline_access" != "MyApiScope".
Is it just not possible in this scenario to use refresh tokens and should I therefore always use the username/password to obtain a new access_token?
Thanks for your advice.
Just add all the required scopes separated by spaces.
grant_type=password&username={USERNAME}&password={PASSWORD}&client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=MyApiScope offline_access
I need to generate or make url-link with inline token, that i can send to user email for only once login.
I found how get access_token for user for redirect to my endpoint (How do I obtain an OAuth token from WSO2 using the Consumer Key/Secret?), but I don't understand what to do next. I found how validate token, refresh it, but nothing about logon by token.
I need something like https://my_wso2is/auth_token?token=37133621-f099-33c4-b686-c017ed229fc0
You can use OIDC in order to get the user authenticated and then allow access to your application. You can find more information from [1] about how WSO2 IS works with OIDC using one of the sample applications named playground.
[1] https://docs.wso2.com/display/IS500/OpenID+Connect+with+the+WSO2+Identity+Server+and+WSO2+OAuth2+Playground