Almost every oauth 2 doc says that the best option to set up authentication is to use the implicit flow, in case you have a spa app, `cause you can't keep a "client secret" secure on the client side as it runs entirely in a browser, except one article, that I was able to find - https://www.oauth.com/oauth2-servers/single-page-apps/#authorization relating to the option of using code flow to imlicit one.
But what If one uses code flow with no client secret stored on the client side with the neccesary use of the "state" parameter and a pre-registered redirect URL on the server side, as there is no way to verify the identity of the client without the "client secret", as it is described in the link above. Maybe I'm missing something, but just wanna know If such an approach is more secure to use than the implicit flow, that bypasses the code exchange step, or not. Will be glad to hear any suggestions concerning the matter!
Related
I have my REST API server which stores user data and handles all the requests. The front-end lives on another server and then there's also a mobile app. I would like to integrate OAuth2 but have my doubts on what grant type to choose. On one hand, the ROPC grant type is best in my situation since I don't allow any third party apps, and I don't want user to be redirected anywhere and the user never gets to use my endpoints directly, only with some kind of interface (front-end, or mobile GUI). So, what are the possible options here?
Normally Authorization-Code Grant is the way to go. I assume you are asking this question, because you heard that ROPC is rather unsafe to use and should be avoided when possible? And that would be true.
Use Authorization Code Grant. Better: use Authorization Code Grant with PKCE. (PKCE is mandatory on mobile Apps and a good practice on WebApps too)
I know that the Authorization Code can seem complicated at first, but it is really the way to go with OAuth.
Okta Blog to PKCE
I am new to implicit flow using OIDC and I am looking for sample code. I could not find anything on internet. Can someone provide links to sample code anywhere.
Any help is really appreciated.
Switching from code flow to implicit flow usually just means changing response_type parameter in your authorization request to token instead of code (or id_token token if you also want the ID token). Then you read the token directly from the response from the Authorization Server (no need to exchange code for token). This should relatively simple to achieve with any OIDC client library, or even just a HTTP client.
Take any OIDC client and change the response_type parameter used by it. If you run any concrete problems I'll be glad to help.
I am trying to understand OAuth2 and its grand types. I just want to know what is the propper grant type flow for authorize a browserless application (a job for example) with a REST API.
authorization_code and implicit flow require user interaction (writing the username and password in the browser), hence both are not suitable for browserless authorization.
client_credentials could work, but there is no user in the authorization process, so what happend if the REST API needs to know the user to check for permission/roles/scopes? Maybe creating a client for each user could work, but sound like a bad thing.
passwordgrant type will be deprecated in the OAuth2.1 specification, so this is not an option.
You may thing that OAuth2 is not the framework to use in this case, because you don't need authorization delegation, but what about if you have both (it is so common), a single page application where you could delegate authorization and also a REST API. What is the propper way to authorize a REST API using Oauth2?
Given that this is a background job, Client Credentials Grant is the best OAuth 2.0 related approach. And, it does not use any end user credential (End users and clients are two different entities with respect to OAuth 2.0). Hence you simply need a credential for the given client application.
Other approach is to enable API tokens. But this will require a manual step where you will insert the token to the background job. Again, this is independent from any end users.
p.s - Read about roles (i.e - client vs end-user/resource owner) - OAuth 2.0 roles
I am novice to how oauth2 with JWT works But must to learn it in short time :) After reading bit I draw a conclusion abstract of its work as this.
now I have two question in my mind.
(1) Is my way of understanding of how OAth2 work is fine ?
(2) As far as I know after step 6 (diagram) no further request to authorization server. Then,anyone(intruder) know the token witch given by auth server can communicate to the web API and obtain unauthorized access.how does is not possible.
(I know that token not alter by intruder since then web api new that but without altering it still intruder can communicate to web api)
I know I have miss something please kindly show me where I have missed ?
You have to take security measures to protect your token from being stolen. This is no different than preventing session-id from being stolen in session based authentication.
Anyone with access to a valid token is by definition an authenticated user, no matter how the token was retrieved.
Whether your web API communicates with the authentication system directly is not relevant.
Using the OWIN and Thinkecture components are very powerful. I have an MVC app that is fully secured using an Identity Server we built on Thinkecture. It can call our web api secured as a resource through our IDS.
We now have a new feature that we need to call out to a 3rd party and access their API to grab some data. They also protect their api through oauth2 using their identity services. I thoght doing this would be straight forward, but I am struggling figuring out the actual code to do this. Basically they request a page in our MVC app. It requires authorization, but that is authorization from our IDS. We lookup the access and refresh token to use for our user to call the 3rd party. If not found or if it is expired, we need to authorize with the 3rd party by having the user login to their IDS, give consent, etc.
I could not find any client examples to handle this. Can someone point me to an example or point me in the right direction?
I looked closer at the IdentityServer3 samples and found the MVC manual Code Flow client and dug into it a little bit. I was able to take the code from there and alter it a little bit to save off nonce and state a different way and then was able to accomplish what I wanted.