I've built a simple webapplication using Spark and pac4j. It is supposed to authenticate users with WSO2 Identity Server 5.0.0, using the OAuth 2 "Authorization Code Grant".
The OAuth flow seems to work fine, but not completely:
user is redirected to WSO2 (/oauth2/authorize?response_type=code&client_id=foo&redirect_uri=bar&scope=openid&prompt=consent)
user identifies with username / password
user gives consent to exchange claims with my webapplication
my webapplication exchanges the code it receives for an access token and a refresh token
However, finally pac4j retrieves the user profile (/oauth2/userinfo?schema=openid), using the access token. This always gives me the response
{"error":"invalid_token","error_description":"Access token validation failed"}
And WSO2 logs
TID: [0] [IS] [2018-03-14 16:20:30,446] DEBUG {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint} - org.wso2.carbon.identity.oauth.endpoint.user.UserInfoEndpointException: Access token validation failed {org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint}
The access token is still present in the IDN_OAUTH2_ACCESS_TOKEN database table:
TIME_CREATED VALIDITY_PERIOD TOKEN_STATE TOKEN_STATE_ID
------------------------------------------------------------------
2018-03-14 10:40:35.940 3600000 ACTIVE NONE
I don't understand why WSO2 says my access token is invalid.
Can anyone shed some light on this?
Well, strange as it is... Deleting all access tokens and authorization tokens in the WSO2 database resolved the issue.
Related
When a user's access and ID tokens expire, they should be considered invalid and refreshed using the refresh token. If unable to do so, the user's session should be expired. *(stating from the issue itself) *
Issue Reference - https://github.com/spring-projects/spring-security/issues/6814
Question -
Any leads on how to customise this for now?
Framework Details:
There is a UI Application which servers as 'Client'
Sample Client configuration
There are multiple 'Resource Servers'
Sample Resource Server 1 Configurations
I have Keycloak for authentication and authorization of multiple applications (a web page and a REST API). From my understanding the flow for the web page when using OAuth2 authentication_code grant type is as follows:
In this flow, in the second step (the one in red) the resource owner logs in because she/he were redirected to the login page of Keycloak. This flow is clear to me and is working well.
But, with the REST API I don't know what is the process to authenticate and authorize the user (resource owner), because there isn't a browser to redirect him to the login page of Keycloak. So, I tried with the password grant type and it worked, but then I realized that this grant type is deprecated. So I tried again with the authorization_code grant type but can't make it work. I am trying to get the token using the following request:
URL: http://localhost:8080/auth/realms/somerealm/protocol/openid-connect/token
Body:
username: someuser
passwoord: somepassword
grant_type: authorization_code
client_id: someclient
secret: somesecret
The problem is that I am receving the following response:
{
"error": "invalid_request",
"error_description": "Missing parameter: code"
}
I know I have something wrong in the request (and in my understanding of OAuth2), but I have read a lot and can't discover what it is.
API (backend) doesn't need any login flow usually. It just needs to verify token and then it executes requested operation or it denies it (response code 401 - problem with authentication / 403 - problem with authorization). It doesn't redirect to auth server.
Client, which is using API must obtain token before API request. It can be done by the frontend (e.g. SPA with The Authorization Code Flow + PKCE) and then frontend maintains state (token refresh, error codes from the API, ...).
If you don't have any frontend, then procedure how to get token must be part of API specification. For example see swagger doc: https://swagger.io/docs/specification/authentication/oauth2/
The Client credentials flow should be used machine to machine authentication, so it's not a solution if you need to know user identity.
With the authorization_code grant type you have to spawn a browser in some way.
password is unfortunately deprecated, but the recommendation is to use client_credentials for these cases now. I hope this decision get reversed before OAuth 2.1 is released.
My current auth server doesn't support OAuth 2.0 and I'm trying to set up a new auth server. But I don't need a replacement, I just want to pass the token to my new auth server so it can give access token to a third-party application.
I've been reading many documents about OAuth2 but none of them mentioned how is the access token generated. All of them only said once the user submitted their credential to the authorizaURL, it will verify and send back a code(auth code grant) or an access token(implicit grant).
The problem is, how does the auth server generate that token and how does the resource server verify this token? And how do these two servers bounded together?
Thank you in advance : )
I am reviewing OKTA. I have two authorization servers configured, the default one and a custom one. I have a client (web app) that is configured and correctly logging in. I am getting back the expected id_token and access_token. The problem I am running into, is how do I call an api, that is expecting an access token from the second authorization server? How do I request an access token on behalf of the logged in user (default auth server) from the second auth server, without prompting the user to login again? This is all done in .net core mvc application.
In each of your applications you can check for an active Okta session. If found initiate the OIDC AuthN flow.
This is the endpoint on the client you can use to check for an Active Session
https://developer.okta.com/docs/api/resources/sessions#get-current-session
You can use the following authorize URL to get the access token or id token
{{url}}/oauth2/{auth server ID}/v1/authorize?client_id={client id}&response_type=token&response_mode=fragment&scope=openid&nonce=nonce&state=state&redirect_uri={redirect url}
Get the auth server ID from the URL when you see visit the server in the UI.
The above call needs an active session so if you signed the user the first time with 'default' auth server recently. You don't need to sign the user again to get to the token for the second auth server.
It is mentioned in oauth documentation at https://developer.uber.com/v1/auth/ that access token remains valid for 30 days. But I have started getting invalid credential error within a week. The exact error I am getting is:-
{"message":"Invalid OAuth 2.0 credentials provided.","code":"unauthorized"}
Trying refresh token after this error gives invalid grant error whereas 'refresh_token' is valid grant type.
{"error": "invalid_grant"}
Anyone facing similar issues?
If your client credentials are used to get another access token, that will invalidate former access tokens associated with that user.
When an access token expires, you must obtain a new access token. Use the refresh token to get a new access token without prompting a user to login and grant permission again. The refresh token itself is not a valid token to access API endpoints - it is just a code you keep to exchange for a new access token when yours expires. This is described in Step Five: Refreshing Tokens in Uber's Authentication Guide.