I am trying to use account linking in my skill. The problem is that the documentation is not clear enough. I have the login screen, it redirects to the amazon redirect uri provided in the URL parameters, I also include the code (btw I'm using Auth Code Grant) and here comes the problem. My script gets the code and the client credentials and generates the two tokens, but what should it do with them? Does their system wait a json response or something containing the two tokens using their names as keys or should I redirect again? What do they mean in the documentation when they say the server should return the access token and the refresh token?
The token response should look like this. I believe the exires_in and refresh_token properties are optional.
{
"access_token": "...",
"refresh_token": "...",
"expires_in": 3600
"token_type": "bearer"
}
https://developer.amazon.com/docs/alexa-voice-service/authorize-companion-site.html#auth-code-grant.
There are multiple threads on this topic from the Amazon Developer Forum I tried the tutorial referenced on a home brew AVS device (RPi3) and it works with no issue (I can get the user name etc. from my Amazon account), although I still can't figure out how to access activity api json within AVS SDK.
Steps in Account Linking(Auth code grand flow):
• User will be redirect to form based login page, used to get the user credentials
• After validating the user credentials and user authorities by your backend security script, it will be redirect the request to authorize endpoint to generate the authorization code.
• Once the request reached the authorize end point, it will validate the client details.
• Once it is validated, user will be redirected to the approval page.
• Once we get the confirmation from the user, your backend security server script need to create the autorization code and need to give it back to the AWS alexa client.
• AWS client will call our access token end point to get the access token and refresh token.
• Once AWS client gets the access token and refresh token, the skill will be linked to the user.
• AWS Alexa client send the access token in every request once the user have linked the skill
Your Problem: AWS client will call your access token end point url along with Authorization code and client credentials, Your back-end script need to validate those inputs and need to create access token, refresh token and send it back to AWS client.Its a POST request from AWS client, you have to return back response to same POST request.
Related
My requirement:
I have a confluence instance connected to Azure AD with SAML Connector for Single Sign On
It should be possible to send API calls to that confluence by an application where the users are already signed in (with their Azure account)
Confluence (on premise) is not supporting bearer "access_token"s, just basic auth and cookies.
My way to go:
Ask the confluence for a SAMLRequest.
Post the SAMLRequest to Azure with valid credentials and get SAMLResponse
Post SAMLResponse to confluence and get a cookie
Call API with that cookie
I think that should work. But i am new to authorizations and azure.
My problem:
I POST to https://login.microsoftonline.com/{tenant-id}/saml2 with my SAMLRequest in Body and a valid bearer access_token in HTTP Header ("Authorization" field), but I always get a "SIGN IN" page as response.
I thought my access_token is my key to login without a login prompt.
Any ideas for this? Maybe my way to go is absolutely incorrect. I don't know. That's the way I access the API in web browser.
Here two pictures of my requests:
GET access_token from Azure
POST SAMLRequest to Azure
We bought some 3rd Party tool that handles access_token for Confluence REST API.
What technically is necessary for new REST endpoints:
- Grab the Azure access_token
- Send the access_token to https://graph.microsoft.com/v1.0/me
- get the answer to which user this access_token belongs
- change the context to that user
I have no time to implement this on my own. So the Addon was okay for us. google for "REST API confluence oauth" and you will get it.
I'm currently trying to authenticate an angular 7 app with ADFS 2016 (using angular-oauth2-oidc). So far, it works pretty well. When I access the application, I'm redirected to ADFS login page where I enter my credentials and gets tokens.
Now, when the app calls the a web API, it send the access token in the request headers. The access token returned by ADFS looks like this:
{
"aud": "microsoft:identityserver:xxx",
"iss": "http://xxx/adfs/services/trust",
"iat": 1554561406,
"nbf": 1554561406,
"exp": 1554565006,
"apptype": "Public",
"appid": "xxx",
"authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
"auth_time": "2019-04-06T12:21:39.222Z",
"ver": "1.0",
"scp": "profile openid"
}
The issue is that the web API must know the ID of the user making the call (as there are some permissions defined at application level). I saw here that I can add claims to the access token, which I did. However, when reading articles on Internet, I read that apparently the access token is not supposed to be used to identify the user, so I don't know if it's correct to add a claim used by the web API to identify the user.
However, I read here that
The only user information the Access Token possesses is the user ID,
located in the sub claim.
But by default, ADFS does not provide a "sub" token. Is it correct if I add a "sub" claim by myself that contains the email address of the user or do I have to proceed in a different way?
Yes, access token is not supposed to be used to identify the user. But if you can get a user identifier into the access token and it's all you need to know about a user, then it's probably the easiest way. But it's implementation-specific for your auth server.
The standard way is to ask for the profile scope (which you did) and get information from the userinfo endpoint (see OpenID Connect RFC). If you use this way, you may want to cache the response, so you don't need to make this HTTP call on every client request.
If your backend API is used just by the Angular application and is not supposed to be called by third parties, you could also consider using the backend as the OAuth2 client which receives an authorization code and exchanges it for an ID token. Then, it can save the user's identity (read from the ID token) in a session and issue a cookie identifying the session. So there would be no need for the frontend to send a token on each request. This would make the backend stateful, but it might be easier to implement.
I need to access several YouTube channels for my job to pull analytical data and export it to a database. The problem, is that this requires using OAuth, which would be fine except I don't know the controlling person's username/password. She probably won't give me her credentials since it's personal.
Is there a way to do this without explicitly using her username/pass? Like, she tried making me a content owner, but I still can't authorize this level of information.
This is exactly the reason why OAuth was created, to make requests on behalf of a user without their username and password.
Have that user generate an access token. Here are the Google Docs. In a nutshell:
Have your user send a post request to https://accounts.google.com/o/oauth2/token with your app key. The response should look something like:
{
type: "oauth",
token: "XXXXXXX"
}
Then, make an API request on behalf of that user with their token by passing in the token returned from the previous step as value for the Bearer filed for any web request to the YouTube API. This will allow you to perform an authenticated request without explicitly knowing the user's username and password.
Let's say, i want to develop a rest api implementation and use OAuth 2.0 with authorization_code grant. I will have apps, users, access_tokens etc. I just couldn't imagine only one scenario. When a user permits an app to use it, my auth server will redirects him to app site with auth code and then the app will post it with its client_id to fetch access_token. So, how can i link this access_code to the user? At last, the app will want to access to some resource about THE USER and will post the access_code which my auth server created to access it. Or just the app should store to link between access_code and the user id(but how can it determine the user, it is an another question).
The Authorization server have to provide a service to give the resource server user information but using access_token so the resource server can get user Id and other information to use it, example of it is using login with FB or google, it is providing user information to the 3rd party want to authenticate this user.
I am trying to impliment Oauth for my webapplication for google.I am worked upon a POC and it working fine but i have a confusion and not sure how best it can be achieved.
I am using scribe java API for Oauth.
here are the steps i am performing.
Getting request token from Google.
Redirecting user to Google to authenticate them self and authorize my serivice to access his/her few details.
get Access Toekn from google by providing request token and verification code given by google.
Accessing user info once google provide Access token.
now my main confusion is at step no 3, since i am working on a web-application so it will be a 2 step process.
Redirecting user to google
Handling back google redirect.
In order to get an Access token i need to provide same request token which i got at step1 else my request being rejected by the user.
The request token contains 2 things
Toekn -->which is based on the registered application so not an issue
Secret-->This is always being a random string so it should be same when asking for access token
that means i need to store this secret either in my session or some where so that i can access this secret when user is being redirected back to my application.
My confusion is,since in order to save it in session i have to create a unique key and some way to access it in the other action class which will handle Google Redirect back how can i achieve this since at a given time so many user can ask to login using google.
any help in this regard will be much appriciated.
Thanks in advance
When you receive the request token + token secret, use the request token as the unique key of your session to store the token information. After the authorization process, in the callback url, you have access to the request token (it's one of the parameters passed to the callback url). Using this parameter as the session key, you can restore the token information from session, including the token secret, and use it to sign your request for changing the request token for access token. After receiving the access token, a new token secret is returned to you and you can delete the old one from session.
how can i achieve this since at a given time so many user can ask to
login using google
This is not of any problem because for every single user on your site, you are given a different request token.