I'm developing a communication flow through Azure AD with OAuth2. So, I'm testing two flows:
- Credentials Flow
- Authorization Code Flow
Everything works fine, except one thing: The Scope/permission (scp) in the Access Token.
When I request an Access Token with the Authorization Code Flow I have a lot of claims and one very important for my business: the scp. This claim has all scopes configured in the Azure portal.
But when I use the Client Credentials Flow this "scp" claim does not return and I can't check if this Access token generated can access an Endpoint in my resource server.
Any idea how to solve this?
the answer to this question explains quite well why it's not working.
Since there is no redirection (there's not user involved) scp claims are not returned. the solution to your problem is to use application roles.
When you get the OAuth2 token using the client_credentials flow, make sure you are passing the resource parameter and populate it with the appId of the application where you added the roles to the manifest.
Have a look at these two links . Looks like you are correct in the client credential flow scp claims are not visible
Getting the access token for Microsoft Graph API
https://joonasw.net/view/defining-permissions-and-roles-in-aad
Related
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
In my experiment, I configured 2 Azure AD applications, one for a Web API and one for a client (Web API Client A). I added a scope to the Web API but when requesting the access token via the client credential flow, the scope wasn’t returned. 🤔
Also, it only allowed me to request an access token when using .default for a scope, i.e. api://web-api-client-credential-flow/.default.
I ran across this Azure Feedback item: V2.0 Client Credentials Implement Scopes so it appears scopes aren't supported in Azure AD under the client credential flow?
What’s the point in giving my Web API Client A application permissions for that scope if they are not returned? How could the Web API know if the daemon application has that scope to perform the necessary action?
It would seem I would have to use application permissions?
Yes, you have to use application permissions.
Scopes aka delegated permissions only apply when a user is involved in the login process.
They allow you to act on behalf of a user.
Application permissions are sort of roles given to the application itself.
They only apply when doing client credentials authentication, where no user is involved.
You can define application permissions on the app via the Manifest in the app registration.
These can then be assigned to the client application.
When getting the token, you must use .default because you cannot change your app permissions dynamically.
You always get what has been granted already.
In the token the permissions will be in a roles claim.
Can I define custom scope(s) and have them returned when using the client credential flow in Azure AD?
No, but you can define application permission(s) via the manifest (definitely not as nice as the UI for delegated scopes) and have them returned via the client credential flow:
Then you can provide the client app permission:
Now when requesting a token with a scope of api://web-api-client-credential-flow/.default the "scopes" are returned in the roles claim. Sample JWT
Yes, you need to use api://web-api-client-credential-flow/.default for client credential flow.
And the application permissions will be returned in roles instead of scopes.
I have trouble understanding the client_credentials grant in terms of identity. I have secured my web app with OpenId Connect using the authorization code flow. This works as expected and a proper access and id token are returned from the authorization server. So far so good.
Now i have some public APIs i want to give my customers access to. The access to this APIs is done via our different client libraries that we provide.
In many examples out there the client_credentials flow is used for that providing a CLIENT_ID and a CLIENT_SECRET to get an access token. According to the spec this flow involves no end user and therfore no identity token is returned.
Now i am in trouble because i don't know the identity of the caller. The only thing i can say is that the access token is valid but how is this done in practice ?
How do you know which user called your service when using this flow ? Do i have to save a mapping from user_account to client_id/client secret and query for that in my api endpoint to get the user ? I have to make some access decissions based on the identity who called the service.
If that would be true what benefit does OpendId Connect provide for me in that manner when i can get no id token in that flow ? Doing this with simple Oauth2 client_credentials flow will lead to the same result.
Can someone give me some tipps ?
The client_credentials flow is not meant to be used in scenario's where you want to identify an end user. In fact the client_credentials grant type is undefined in OpenID Connect. You should rely on the Authorization Code grant as you suggest.
When using Azure AD client credentials flow, should the oauth2 endpoint (of azure ad) produce a bearer token if the client application has NOT been granted permission to access the requested resource? I was certain it used to error in this case, but I'm now seeing different behavior (a valid bearer token is now provided even if the client application does NOT have permission to the resource application).
We have always allowed tokens to be issues between two services when using the client credential flow. This scenario is basically S2S between Daemon Services.
The important thing to note here is that the built in authorization model for AAD takes advantage of SCP and ROLE claims, which appear in the token and can help your API understand what permissions it has been granted by the user.
However, we want to also allow you, in this situation, to use your own authorization layer. For example, you could simply white-list the App ID of the client application to allow it to make S2S calls to your API, without the presence of any ROLE claims in the token. The token issuance behavior here enables this scenario.
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.