I have an app that supports saml based sso and oauth based access to cloud storage providers such as google drive, dropbox, and microsoft onedrive. I have an account setup that uses OneLogin as an identity provider, and my app and onedrive acting as service providers. the app requires users to authenticate with their cloud storage provider, so I redirect the user from the app to onedrive during this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and agree to grant the app certain permissions and send back a code. I use this code to ping onedrive's /token route to exchange it for an access_token and a refresh_token. however we are not receiving the refresh_token, thus requiring the user to frequently have to reauthenticate with onedrive.
does anyone have any insight as to why we are not receiving a refresh_token? I have reached out to onelogin and microsoft as well (no progress/response yet).
I have toyed around with settings in MS azure and onelogin but haven't solved the issue yet.
other details:
in microsoft azure, users are federated using ws-federation
so far, this issue only occurs with users who are using onedrive and an sso provider
i am using the v1 onedrive api
the auth response includes the access_token and other properties, just not the refresh_token
here is a link detailing the oauth flow for onedrive, indicating that i can expect a refresh_token from the https://login.microsoftonline.com/common/oauth2/token route: https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/aad-oauth (in fact this refresh_token is necessary to finish the flow)
here is another SO post that seems to be having a similar issue, but with godaddy: Refresh token not returned for Office365 accounts purchased through GoDaddy (i have tried messing with the StsRefreshTokensValidFrom attribute but to no avail)
to be clear, the flow is:
from app, attempt to oauth auth with onedrive
get redirected to onelogin
login to onelogin
get redirected to onedrive
grant permission for 3rd party app access
get redirected back to app with access code
exchange code for oauth tokens
fail to receive refresh_token
thanks!
To get a refresh_token, you need to set up the Refresh Token (timeout) field in the Token Timeout Settings of the SSO tab in the Application configured in your OneLogin Administration portal.
Related
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
Is it possible to log user out of only a single client? I tried to search online but could not find anything for logging user out from only a specific client.
With OAuth2 authentication, you don't log in or out of an application. OAuth2 is about permission delegation using access tokens. There is also the single sign on (SSO) feature of OpenID Connect (OAuth2 extension).
So you can either log out of the SSO session, which will force you to enter your credentials on the next /auth request. Or you can revoke a token used by a client. But if you have a valid SSO session at the auth server, the client can request a new token without you entering credentials.
So I think you will need to change your requirements (for logging out) to be compatible with OAuth2 / OpenID Connect concepts.
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The offline_access scope gives your app access to resources on behalf
of the user for an extended time. On the work account consent page,
this scope appears as the "Access your data anytime" permission. On
the personal Microsoft account consent page, it appears as the "Access
your info anytime" permission. When a user approves the offline_access
scope, your app can receive refresh tokens from the v2.0 token
endpoint. Refresh tokens are long-lived. Your app can get new access
tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
I'm making a program uses Youtube API for testing purpose.
Because my program is an installed-application, I've found a picture pointing out how to implement authentication.
It's what I have:
Immediately, I'm confused. According to this figure, I don't know why Google Servers just returns Authorization code after User login and consent.
Why doesn't Google Servers return Token instantly?
You are Confused because, I guess, you have missed 3rd leg "User". Authorization code represents the User Consent.
Google server returns Authorization code when User grants the permission to your app to get his/her data from google server(resource server). if user denies the permission Google server wont generate the Authorization code and your app wont be able to get access token.
Another use of Authorization_code is to keep resource owners credentials secret. Authorization code is shared with client and client exchanged that code for access_token.
Find more Information about Oauth 2.0 in this article.
Hi I'm just getting started on the v4 CTP so I can see me posting some basic questions as I get my head around it. I want to create a service provider so I'm looking at the WCF Oauth2
The first thing is when I go to login what is the format of the OpenID for use with the provided database? What is the process for this. I assume I'll get redirected to a screen where I put my password? And that interacts with the database?
Cheers, Chris.
The sample OAuth2 Authorization Server's database merely contains a couple of sample client entries so that the sample client can make requests. It has a users table that is automatically populated by each user who successfully logs in using their OpenID. So to your question regarding the "format of the OpenID" to use, any valid OpenID 1.1/2.0 identifier will work.
The OAuth2 authorization server sample doubles as an OpenID relying party in this respect, but its OpenID functions aren't the meat of the sample -- there are other sample OpenID RP sites that demonstrate more functionality in that respect. But being that OAuth2 auth server and OpenID RP are coupled in this way, the flow is that:
User visits OAuth2 Client site and indicates to the client that it may request access to user's data on the resource server.
Client redirects user to authorization server so the user may grant permission.
Authorization server prompts the user to log in, if not already logged in.
User enters OpenID
Authorization server redirects user to their OpenID Provider to log in using some credential (username/password, infocard, etc.)
OpenID Provider redirects user back to authorization server.
Authorization server sample then asks the user "do you want to share resource [x] with client [y]?" User confirms.
Authorization server records that user authorized client [y] to access [x] so that future requests from that client for that resource may be auto-approved without user intervention.
Authorization server redirects user back to Client with authorization grant.
Client receives the grant along with the user redirect and uses a direct HTTP request to the auth server to exchange that grant for an access token (and possibly a refresh token).
Client then includes the access token in HTTP requests to the resource server to access the user's private data.
I hope that helps.