Is whatsapp for business using oauth protocol for user access token for third party access?
Related
I have a WebAPI (A) hosted on Azure protected by Azure B2C (B) which is being called by a mobile app (C) - this is all working correctly.
I now want to allow third parties to access my API via API Management on the same platform but I am getting extremely confused with authentication and "audiences".
The API Management developer portal has been configured as per the Azure documentation so that when the developer makes test calls on the portal it prompts for authentication using the B2C domain (B). To do this it uses an application registered against the B2C domain.
However when I want to implement the API from a third party system (D) I need to allow the system to impersonate a user when calling my API (A) so that operations happen in the context of an authenticated user on the domain (B).
I know B2C does not yet support "On Behalf Of" as a valid flow so I use hellojs to obtain an access token on the client which I pass to the third party system API via a custom head which it then appends as an Authorization header to it's call to the API.
The API Management product expects a "subscription key" to identify the products the third party implementation can use.
Does this mean with regards to the authentication part that every third party system using my API would use the same oAuth "audience" id and therefore the same Active Directory app?
It makes more sense to me that each third party implementation would have a different app on Azure Ad but that would mean my Web API would need to recognise a huge number of audience ids and redirect uris?
Finally, how do i "hide" the Web API endpoints from public use - surely use of the audience id would allow people to circumvent the API Management product?
Apologies if I have mixed any terminology up.
1) Does this mean with regards to the authentication part that every
third party system using my API would use the same oAuth "audience" id
and therefore the same Active Directory app?
They will use the same resource/scope id (i.e. audience) e.g. https://yourwebapiAppIDURI/Read but they would all have their own application IDs.
2) It makes more sense to me that each third party implementation
would have a different app on Azure Ad but that would mean my Web API
would need to recognise a huge number of audience ids and redirect
uris?
Yes they should register their applications as clients to your B2C Auth server.
The 3rd party apps should be setup in the AAD portal to have delegated access to your web API (. "Access yourwebAPIname"). If your web API exposes any scopes access to those can be delegated too.
Now when they start the token request by redirecting the user to your Auth Server, they should provide their client id and a resource/scope value of your web APIs App ID URL e.g. https://yourwebapiAppIDURI/Read.
That should result in a token with:
aud value of the Application ID associated with https://yourwebapiAppIDURI/
scp value of Read
OK, so B2C doesnt use consent:
Azure AD B2C does not ask your client application users for their consent. Instead, all consent is provided by the admin, based on the permissions configured between the applications described above. If a permission grant for an application is revoked, all users who were previously able to acquire that permission will no longer be able to do so.
I am building restful API and want to protect my Api's. i am thinking to implement Oauth but as per my knowledge Oauth is suitable only when we are exposing our API to third party application. i am not exposing my Api to third party application.
I want to know implementing Oauth is suitable for this or not??
Thanks,
Sanjay Salunkhe
I have a MVC web application that needs to be authenticated against Okta (the users will be stored in Okta). I have some third party applications to which my customers will navigate through their links in my website. The customers, once they are authenticated while coming to my page should not have to be authenticated again when they navigate to these third party links.
I also have have some third party web sites consuming my external exposed web services (MVC Web APIs). These third party applications are also expected to authenticate themselves through Okta.
How can I implement these two scenarios? I know how to implement the customer authentication by Okta using their APIs, but the part not clear is how to enable the seamless navigation between the third party websites.
With Facebook, you could set a scope parameter to define the permission you'd like a user to grant to the 3rd party application, according to the Spring Social document. For example, you could only give the permission that the 3rd party can just read the user's profile, or you could give the permission that the 3rd party can post onto the user's wall too.
But with Twitter, how to set a scope-like parameter so as to define the permission you'd like a user to give to the 3rd party application? For example, the 3rd party can not only read the user's profile, but also tweet on behalf the user.
Scoped permissions, such as what Facebook offers, is defined in the OAuth 2 specification. Twitter, on the other hand, is primarily an OAuth 1.0a-secured API (although it does offer OAuth 2-style app-only tokens) and OAuth 1.0a does not have the notion of scoped permissions.
That said, Twitter itself does define 3 levels of permissions: Read-only, read-write, and direct messages. These are not scopes that can be requested at authorization time, however. They are application-level, set when you register your application with Twitter.
Since Twitter doesn't offer scoped permissions, there's no way that Spring Social can offer it when authorizing with Twitter.
See https://dev.twitter.com/oauth/overview/application-permission-model for more details on Twitter's application permission model.
Is it possible to verify to third parties, that a user has given authorization to an app?
As a fallback, the third party could send a challenge token to the app, which would then be tweeted by it, thus demonstrating it has authorization. But ideally it wouldn't have to pollute the twitter stream.
Maybe instead of tweeting, the challenge would be to follow, then DM a message? At least that's not public?