I have decoded JWT token using 'jwt.io' . I found one claim 'gty' in payload section. What is the meaning and significance of it.
gty is not a registered claim name as defined in RFC 7519.
Although I could not find any reference clearly stating it, it seems
auth0.com uses gty for the grant_type that was used to request the token. e.g. client-credentials or password
Here's an example in the Auth0 community in which grant_type password and the gty claim are mentioned.
Related
We’ve implemented PHPMailer with oauth2-google (via GitHub): no problem.
But I am trying to understand the logic behind the use of the get_oauth_token grant code.
When run standalone, it simply ‘loops’ to the authorization endpoint and back to get an authorization token and then uses this to request an access token and a refresh token from the token endpoint. Developer then pastes the refresh token as a parameter in the instantiation of PHPMailer’s OAuth wrapper class. All very straightforward.
My puzzle is whether:
get_oauth_token.php is then used by PHPMailer OAuth plus theLeague’s OAuth-client
or
whether the latter get authorization and access tokens (and if necessary a new refresh token) themselves without calling get_oauth_token.
The redirectURI (i.e. the URI of get_oauth_token) is not passed to the Google provider instantiation in the PHPMailer published example, and our working (so far...) implementation doesn’t do so either. So I assume it doesn’t use get_oauth_token or any similar callback mechanism since the redirect URI necessary would need to be defined in advance to Google Developer console in the way it is for get_oauth_token itself. But thephpleague / oauth2-google's Readme.md indicates that one should be specified.
However … theLeague’s OAuth-client’s Abstract Provider class includes a __construct to set some options that include redirectUri. Later on in getAuthorizationParameters it sets a redirectUri if one hasn’t been provided, and redirectUri is used in e.g GetAcccessToken.
Can anyone shed light on exactly how redirectURI is being used in this context?
The redirectUri is required in order for Google to redirect back to the originating website to complete the OAuth transaction, after the user logs into Google. Once the access and refresh tokens are available, the redirectUri will (probably) never be used, unless the refresh token is invalidated.
I don't understand what any of this has to do with PHPMailer, so I can't answer that part of the question.
I make use of the class org.springframework.security.jwt.JwtHelper from org.springframework.security:spring-security-jwt:1.1.0.RELEASE for decoding JWT tokens, e.g.
Jwt jwt = JwtHelper.decode(accessToken);
String claims = jwt.getClaims();
The above classes are deprecated and the deprecation comment points to Spring Security OAuth 2.0 Migration Guide.
This guide does not talk about any replacement for JwtHelper.
I found the class JwtDecoders which creates a JwtDecoder in the new spring-security-oauth2 project. But JwtDecoders requires an issuer to be passed.
Since I do not wish to verify the token, is there a simple alternative available? Otherwise I can split on . and base64-decode the token, and use any JSON library to parse.
The replacement used in Spring Security is nimbus-jose-jwt. If you don't use Spring Boot, you have to choose a version otherwise Spring Boot will choose one for you.
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</dependency>
You can just use it like this:
import com.nimbusds.jwt.JWTParser;
....
JWT jwt = JWTParser.parse(accessToken)
Header = jwt.getHeader();
JWTClaimsSet jwtClaimSet = jwt.getJWTClaimsSet();
This worked fine for me without any new dependency
Jws<Claims> claimsJws = Jwts.parserBuilder().setSigningKey(Keys.hmacShaKeyFor("secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret".getBytes()))
.build().parseClaimsJws(token);
String username = claimsJws.getBody().getSubject();
Authentication authentication = new UsernamePasswordAuthenticationToken(username,null, null);
SecurityContextHolder.getContext().setAuthentication(authentication);
Do not skip token verification! Failure to verify the token properly will result in an insecure app.
It is very important that you check the issuer (iss claim) of the token and verify it is correct and that it is supposed to be accepted by your application. Only accept tokens from issuers that have the authority to grant access tokens for your app.
Also verify the token is intended for your app (check aud claim): you don't want users misusing tokens intended for other apps (e.g., if user has token with all the right claims, but with aud claim set to another app; that shouldn't be a valid token for you).
Now, make certain to check the signature of the token to verify it is actually signed by the issuer and it is not a bogus token: you can find the issuer's public keys by contacting the issuer. If you don't get the public key directly from the issuer, and you don't verify the signature of the incoming token properly, a malicious user will be able to forge a seemingly-valid token that your app will accept, and your app will be at risk of leaking catastrophic amounts of data.
The last step is to check validity (is it expired?) and to then to check for whatever other claims or scopes your app expects and requires.
If you wish to avoid an additional dependency (e.g. nimbus-jose-jwt), feel free to fork or copy this small utility class: JwtUtils.java
I'm trying to call (POST) the Auth0 delegation endpoint from Postman with the following request, as suggested by Auth0:
Content-Type: 'application/json'
{
"client_id": "{CLIENT_ID}",
"grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
"id_token": "{YOUR_ID_TOKEN}",
"target": "lwTL1rYVfC0KsBUFPeKWY3HvGjbIgdDM",
"api_type": "salesforce_api",
"scope": "openid"
}
I'm getting this error, even though the grant_type parameter is included in the above request:
{
"error": "invalid_request",
"error_description": "Missing grant_type parameter"
}
What am I doing wrong here?
From Auth0's new OIDC Conformant Authentication docs:
Delegation
Given that ID tokens should no longer be used as API tokens and that refresh tokens should be used only at the token endpoint, this endpoint is now considered deprecated.
At the moment there is no OIDC-compliant mechanism to obtain third-party API tokens. In order to facilitate a gradual migration to the new authentication pipeline, delegation can still be used to obtain third-party API tokens. This will be deprecated in future releases.
Also, from Auth0's Using AWS with Tokens docs:
Legacy Grant Types
As of 8 June 2017, new Auth0 customers cannot add any of the legacy grant types to their clients, which are required for use with the Delegation endpoint. Legacy grant types are only available for previous customers while they migrate to new flows, to avoid breaking changes. To find the secure alternative for your case refer to Secure Alternatives to the Legacy Grant Types.
Reading further from the Secure Alternatives to the Legacy Grant Types link:
Legacy Grant Type
http://auth0.com/oauth/legacy/grant-type/ro/jwt-bearer
Alternative
This feature is disabled by default. If you would like this feature enabled, please contact support to discuss your use case and prevent the possibility of introducing security vulnerabilities.
More info on legacy grant types can also be found here.
So, the problem you are having is that Delegation has been deprecated. That means the /delegation endpoint and more importantly the jwt-bearer grant type, have been deprecated. If you are a new customer, you are out of luck. If you are an existing customer you need to contact support to get it enabled.
As to why Postman returns the cryptic "Missing grant_type parameter" error as opposed to the much better "Grant type 'http://auth0.com/oauth/legacy/grant-type/delegation/id_token not allowed for the client." error you get with other browser extension based REST Clients, your guess is as good as mine.
A client credential grant does not return a refresh token (DotNetOpenAuth.OAuth2.AuthorizationServer.PrepareAccessTokenRequest forbids it). But ClientBase.AuthorizeRequest requires it.
Is this a bug in DotNetOpenAuth or am I doing something wrong?
I suppose I can work around by inheriting ClientBase and overriding AuthorizeRequest. Is that the correct thing to do?
Edit: It's not so easy to inherit from ClientBase outside of DotNetOpenAuth because a lot of the stuff you want is internal only. e.g. ErrorUtilities.VerifyProtocol
Edit2: Just read the draft OAuth 2 spec (draft 25) referred to in DotNetOpenAuth.OAuth2.AuthorizationServer.PrepareAccessTokenRequest and I can't find where it disallows refresh tokens for Client credential grant type. Maybe they changed it?
Google returns Refresh Token if you request it. Provide parameter in query string access_type=offline.
In my case I had to amend default Authorization Endpoint URL to: https://accounts.google.com/o/oauth2/auth?access_type=offline
Google Api C# example using DotNetOpenAuth:
private WebServerClient GetClient()
{
return new WebServerClient(
new AuthorizationServerDescription
{
AuthorizationEndpoint = new Uri("https://accounts.google.com/o/oauth2/auth?access_type=offline"),
TokenEndpoint = new Uri("https://accounts.google.com/o/oauth2/token"),
ProtocolVersion = ProtocolVersion.V20,
},
clientIdentifier: this.settings.GoogleApisClientIdentifier,
clientSecret: this.settings.GoogleApisClientSecret
);
}
NOTE from my experience: This works only for the First request.
See Google Documentation.
I'm not sure why you say that ClientBase.AuthorizeRequest requires it. Firstly, there is an overload that only takes an access token, so it doesn't even ask for a refresh token. The overload you may have tried accepts an IAuthorizationState object, which may or may not include a refresh token, and it appears that that method only looks for a refresh token if the access token has expired. Since an expired access token can't be used, it tries to refresh it and throws if it can't. It seems reasonable to me.
Whichever method overload you choose to call, your calling mode must either avoid using expired access tokens or be prepared to respond to the exceptions that are thrown when DotNetOpenAuth or the resource server determines that they are expired or revoked. In fact since tokens can be revoked before they expire, it's a good idea to always be prepared for that.
The OAuth 2 spec draft 25 does in fact indicate that a refresh token should not be included in a response to the client credentials grant. From section 4.4.3:
4.4.3. Access Token Response
If the access token request is valid and authorized, the authorization server issues an access token as described in Section 5.1. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.
what is the correct grant_type for foursquare oauth2 access?
I am using grant_type=authorization_code
but I keep getting {"error":"invalid_grant"}
"authorization_code" is the correct grant type (as specified # https://developer.foursquare.com/overview/auth).
Your error message seems to be related do you having a bad/expired code, or specifying an incorrect client_id