When a client send a request to resource service with OAuth access token,
how resource service check the access token?. Does resource server validate access token against some entity ?
When resource server get a request with a OAuth access token, it have two options to validate the access token.
First option is to contact token introspection endpoint of the authorization server. This endpoint is a standard endpoint defined by RFC7662 which is a part of OAuth 2.0 specification. According to that spec. resource server can will send a token introspection request to authorization server. If access token is valid (ex:- Not yet expired) then response will contain a active=true state. Please go through RFC7662 to understand how this works.
Second option is to use self contained token. In this approach, authorization server issue JWT based access tokens. Once resource server receive this token, it can go through contents of JWT to identify validity of the access token.
The validation of the token against a specific operation on a specific resource is done using oauth2 scopes
The way the resource server performs the validation itself depends on the implementation, the simplest way is to use "self contained tokens" e.g. JWT ones so you can get the scopes from the token itself without additional lookup.
If your server exposes resources using traditional http REST semantic, the simplest implementation is to use an http middleware / filter which just check the resource uri and the http verb to determine the validity of the operation
Related
I am using client credentials flow of OAuth 2.0 client credentials grant. I have given the necessary permission Calendars.ReadWrite in my Azure application, which is needed for the api endpoint 'https://graph.microsoft.com/v1.0/me/events'. I am able to get the token from Servicenow using the api '/{tenant}/oauth2/v2.0/token' and passing the scope as myappURI/.default. But while using the token for the posting an event using the api 'https://graph.microsoft.com/v1.0/me/events' I get 'Code:InvalidAuthenticationToken. Message:Access token validation failure. Invalid audience' error. Any help on this will be much appreciated.
You need to send https://graph.microsoft.com/.default for the scope.
4. Get an access token:
You specify the pre-configured permissions by passing
https://graph.microsoft.com/.default as the value for the scope
parameter in the token request. See the scope parameter description in
the token request below for details.
https://learn.microsoft.com/en-us/graph/auth-v2-service
In my case I was sending the ID Token instead of the Access Token.
ID tokens are meant to be read by the OAuth client.
Access tokens are meant to be read by the resource server.
ID tokens are JWTs. Access tokens can be JWTs but may also be a random string.
ID tokens should never be sent to an API. Access tokens should never be read by the client.
Source: https://oauth.net/id-tokens-vs-access-tokens/
If you request a token from the server (with the same credentials and within the lifespan of an old token) should it either:
return a fresh token every time
return the same token with a shorter lifespan
something else / depends on
Is it depending on whether you use a refresh token?
Can you please reference the OAuth 2 RFC in your answer ?
The OAuth 2.0 Authorization Framework is a framework that allow a Resource Owner to CONSENT to allow DELEGATION of their permissions to access a Resource Server to another party (OAuth Client).
The Authorization Request is performed by the OAuth Client and is fulfilled by the Authorization Server only after obtaining CONSENT from the Resource Owner by the Authorization Response (which includes a Access Token).
The Access Token is a Bearer Token with a limited lifetime.
The refresh Token, if used, by the client to requests a new access token by authenticating with the authorization server and presenting the refresh token. The client authentication requirements are based on the client type and on the authorization server policies.
The "same" Access Token is never returned or reused by the Authorization Server.
Reading and following the Security Considerations with any Authentication or Authorization Protocols is a must. Most breaches are caused by implementation errors rather than protocol errors.
You should Tell us what you have tried and show logs or results and Read:
https://stackoverflow.com/help/how-to-ask
So here is a case:
I have identity server, client application and resource(API). Identity server provides user info on the endpoint http://identityserver:8080/connect/userinfo. If you send a request with valid access token you will get additional information about user. If I need this information on the resource how would I get it. I have two ideas:
Get the user info with client. (Client send request on userinfo endpoint and obtain information and then send it with request calling API.)
Resource API create a request on userinfo endpoint itself with access token. Problem here is that if I want to get token value from token store it is not supported information (Java Spring), so basically I do not have access token on resurce server.
I understand that userinfo endpoint is basically resource so my question is how to proceed if I want to get resource from another resource with keeping all best practice around OAuth2 and OpenID connect.
The solution is to use a different grant type. The most suitable is the Client Credentials. An identity server is needed to register a new client id and secret which can be used to exchange access token for API.
The access token is (I assume) available to your API so you can simply pass it on to other APIs (e.g. the userinfo endpoint) assuming the token contains the correct scope.
I'd recommend creating your own abstraction that makes it possible to get the raw ambient token used in the current request so you can then use it to call other APIs.
I am trying to create oAuth 2.0 app and have decided to separate Auth server and Resource servers.
How should I go about maintaining state in Clients
Client will request for auth token to auth server. And auth server will verify and send in tokens. Till this part I understand. How should I now be using token. Should I be doing request to Resource server directly with access token and Resource server should verify that access token with Auth server? OR should I be first making request to auth server and then verify and forward request to Resource server?
The RFC (https://www.rfc-editor.org/rfc/rfc6749) suggests:
(F) The resource server validates the access token, and if valid,
serves the request.
but also that:
The interaction between the authorization server and resource server
is beyond the scope of this specification.
My instinct would be to have your resource server receive a request and then either validate the access token itself if possible - and otherwise query the auth server as necessary rather than have the auth server proxy requests.
Accessing Protected Resources
The client accesses protected resources by presenting the access
token to the resource server. The resource server MUST validate the
access token and ensure that it has not expired and that its scope
covers the requested resource. The methods used by the resource
server to validate the access token (as well as any error responses)
are beyond the scope of this specification but generally involve an
interaction or coordination between the resource server and the
authorization server.
The method in which the client utilizes the access token to
authenticate with the resource server depends on the type of access
token issued by the authorization server. Typically, it involves
using the HTTP "Authorization" request header field [RFC2617] with an
authentication scheme defined by the specification of the access
token type used, such as [RFC6750].
Does oauth2RestTemplate or access token providers support validate token request?
Here is the flow:
Mobile/Web-App authenticated from third party Authentication server
and obtains Access-Token.
User tries to access a secured resources, and passed the Access-Token in the request, as expected by the protocol.
Is it possible to check this token against third-party server?
I found a bit similar here in the form of a refresh token.
Is validation request the part of the OAuth2 standard?
Thanks
No, OAuth2 doesn't enforce a specific token format or API for validating tokens. This is something that has to be decided independently between the resource server and the authorization server.
For example, the UAA project, which uses Spring Security OAuth2, uses signed JWT tokens, so the resource server can validate the contents without having to ask the authorization server directly. It also provides a /check_token endpoint, which will decode the token and verify that it has not expired.