I'm using the newest version of Doorkeeper (which is a wonderful gem) and enabled PKCE. It works great for authorization flow (I use authorization_code). However, when I'm trying to refresh token later I'm getting 401.
Params
{"refresh_token"=>"[FILTERED]", "scope"=>"xxx",
"redirect_uri"=>"com.example://callback",
"client_id"=>"xxx", "grant_type"=>"refresh_token"}
The client is a mobile app using AppAuth which as can you see above doesn't send code_challange when refreshing a token. As we read here creators of PKCE says that server should allow for refreshing token without sending code challenge again. How the gem implements that?
Related
I'm having an Angular application that performs user authentication via Microsoft account. For this, I'm using the MSAL JS library which does work fine to authenticate the user. But we have the requirement where our backend server requires to call Microsoft Graph APIs. Now the issue is that the MSAL library returns access_token which has got a life span of 1 hour and so it can not be used once it is expired from our backend server.
So I'm looking for a way where I can get an authorization code, which can be exchanged from our back end server to get the access token and refresh token. And as we've got the refresh token as well, we can refresh the access token whenever it gets expired considering a refresh token is still valid.
I'm not sure if this is possible via the MSAL library or not, or if there is any other alternative available for SPA to support the case, I've described above.
It is possible with MSAL.js 2.0 which is a drop-in replacement for MSAL.js 1.x and supports the authorization code flow for Single page applications. With MSAL.js 2.0 you can use the authorization flow with PKCE and refresh tokens in the Microsoft identity platform to keep users signed in while third-party cookies are blocked.
Read more here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-javascript-auth-code
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-third-party-cookies-spas
I have really hard time trying to understand mostly how should I implement my authorization flow. I think I have the authentication flow mostly correctly implemented using the technologies I've listed in the title. Here's what I want to achieve:
Basically I have a mobile app built using React-Native and I have made a restful API for this mobile app to use. I am currently at the point that I have implemented authentication using ADFS 4.0. My mobile app directly uses the ADFS endpoints to authenticate the user and I am able to receive the id_token and access token correctly from there. But here comes the part that I have no clue what to do next. Before I used openID, I had my own authentication and just an OAuth2 flow in my Spring REST Api and everytime I made a request from the mobile app to the API, I provided the access token in the headers, and used it to verify from the authorization server that the user is indeed authenticated and also received some crucial information about the user to use in my API. But now since I use OpenID-Connect and ADFS 4.0 for the authentication, I have the cruicial information I need in my API in the id_token. The question is, what exactly should i send to my API now from the mobile app, the id_token, access token or both? Given the access token to the userinfo endpoint at the ADFS returns the subject of the owner of the token. Like is there any way I could receive the users info using the subject or what exactly should I do. I've tried to research this subject a lot, but I am still very confused..
Send the access token to the API in the Bearer header. In the API, validate the token and, if required, do user info lookup. A Spring example of mine here if it helps.
Happy to answer any follow on questions ..
With LinkedIn's planned deprecation of their JS SDK, is there any way to complete the OAuth2 flow and obtain an access token from the client-side, without using a server-side proxy to exchange the auth code for the token?
According to this SO post, LinkedIn does not allow for an implicit grant flow. It's from 2015, but appears to still be relevant.
Is there any alternative way I can obtain an access token for a user who authenticated with LinkedIn, without hitting a self-hosted proxy? My application only needs basic profile data for the user.
Edit
To provide more context, the error I receive when making the second request to https://www.linkedin.com/oauth/v2/accessToken is No 'Access-Control-Allow-Origin' header is present on the requested resource. The same request made from postman works fine and returns the access token. I understand this CORS issue comes down to browser policy. Right now I'm testing from localhost over https. Once the front end code is deployed to a proper domain, will the error persist? Is there any alternative way to get around this?
Thank you!
My API uses the devise_token_auth (omniauth) gem for authentication in the Rails 5 backend. The frontend are using ng-token-auth (Angular 1.x).
I have all the API requests in Postman. I did the security implementation and I need authenticate Postman with every request. Devise_token_auth uses authentication with OAuth 2 and I am having difficulty to implementing this authentication.
For this type of authentication, using Postman, what is the process needed to obtain the connection?
For getting the token, there are few things you need to setup.
The client ID, client Secret are the things to be added into your identity serve as clients.
The Auth Url and access token url will be provided by the identity server and you will be able to get the url by hitting the identity server website when its ready for testing.
The grant type also is dependent upon how you setup the client. For the first time try doing the access token instead of authorization code flow.
For the authorization code flow its a two step process. Get the code first and use the code to get the token.
I recomment watching this tutorial which will help you in understanding Identity server and oauth better.
https://app.pluralsight.com/library/courses/oauth2-openid-connect-angular-aspdotnet/table-of-contents
I am using a custom authorization server using Spring. When hitting my protected resource on the client, I am successfully redirected to the auth server. I log in and get the OAuth approval page. Once I authorize the scopes, I am redirected back to my client app with a URL such as:
http://myapp.com/login?code=UjG0wC&state=POez9N
I get that this is the authorization code and it can be exchanged for a token. However, I am having trouble finding examples of how to do this. Do I need to write code to now go and request the token from the auth server, or is there a configuration piece that I am missing? Would it be better to focus on switching to the implicit grant type?
I was missing an AuthorizationServerConfigurerAdapter, which needed to include allowFormAuthenticationForClients()