I use Identity server 3 for identity service.
Today, I understood that in Client credentials flow it is only possible to get access token if you provide a resource scope. For example suppose we run this request:
grant_type:client_credentials
client_id:client
client_secret:secret
scope:test
if we defined scope test as a Resource scope we can get access token. but if the test scope be an Identity scope. server returns error message invalid_scope.
Could anybody explain why is that? Does it mean that I do not have access to profile and openid using a client token?
Related
I am trying to set up a resource owner password credentials flow (ROPC) in Azure Active Directory.
My objective is to generate an OAuth 2.0 Access token using my Company org AAD username/password.
I have registered an AAD App with Application (client) ID: “d76b7a4f-xxxxx-xxx” that has these permissions:
I then used Postman to send a request:
However, I am getting this above error. The username/password is correct, but still I am not sure why I am getting this above error message. Probably something to do with the "invalid_grant"?
I have followed these Microsoft articles to build up this ROPC flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
In the above 2nd article, I am missing this part (Create a resource owner user flow): https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow#create-a-resource-owner-user-flow
Maybe that is the reason? Please note, I also don't have an admin role at my company's AAD.
What I am targeting here is to generate the identity of the AAD user in the form of an access token, which is then passed onto the backend system, which then responds based on the identity of the user accordingly.
I could generate the access token using the “client_credential” flow (see below), but I need the access token against the owner password credentials flow (ROPC).
Could you please help me out here.
I've read docs and seen this. Struggling to put Cognito + API GW + OAuth2 pieces together. My questions:
Do I correctly understand the flow and use of Resource server scopes: client app asks the Cognito user pool for a JWT token (login/authorization happens). Request for a token contains custom scope A so as the Cognito returned JWT access token. After that client app uses obtained token making a REST API call to a "resource server" (say, to our configured API GW endpoint). API GW endpoint is set to use our Cognito user pool as authorizer + scope is set to be custom scope A. Thus scope here acts like a "role" or "permission": if client has a valid JWT token + this token has a custom scope A inside + API GW endpoint is set to use that scope - then client app is authorized to call API GW endpoint. Effectively it acts like a "resource-based IAM policy" for endpoint but no IAM is involved here.
Do I correctly understand that AWS Cognito Resource server identifier is an arbitrary string? It is not the URI of a factual "resource server" (our API GW). URI format is used purely for uniqueness and there is no place in flow where Cognito Resource server identifier matters or somehow checked/validated? Also it looks like that Resource server identifier does not affect JWT token generation or token contents?
thanks for clarif.
Application scope should not be confused with user permission. Scopes define the access an application has to the user's resources. Therefore resource access is the overlap of the two:
Check that the user has access
Check that the application has scope (access to user acccess)
Example
2 Clients with scopes:
A: E-Commerce (product:create, product:remove, order:create, order:update-status, order:read-status)
B: 3rd-party Order Tracker (order:read-status)
2 Users with permissions:
Customer (order:create:owned, order:read-status:owned)
Admin (product:all, order:all)
Therefore…
Customer PUT /product with client A = DENY due to missing user permission
Admin PUT /product with client B = DENY due to missing scope
…
By requiring a URI, AWS seems to enforce collision resistant identifiers as you point out. It's not a common practice and doesn't really have any real security benefit, nor is it validated by AWS that you control the resource.
I have trouble understanding the client_credentials grant in terms of identity. I have secured my web app with OpenId Connect using the authorization code flow. This works as expected and a proper access and id token are returned from the authorization server. So far so good.
Now i have some public APIs i want to give my customers access to. The access to this APIs is done via our different client libraries that we provide.
In many examples out there the client_credentials flow is used for that providing a CLIENT_ID and a CLIENT_SECRET to get an access token. According to the spec this flow involves no end user and therfore no identity token is returned.
Now i am in trouble because i don't know the identity of the caller. The only thing i can say is that the access token is valid but how is this done in practice ?
How do you know which user called your service when using this flow ? Do i have to save a mapping from user_account to client_id/client secret and query for that in my api endpoint to get the user ? I have to make some access decissions based on the identity who called the service.
If that would be true what benefit does OpendId Connect provide for me in that manner when i can get no id token in that flow ? Doing this with simple Oauth2 client_credentials flow will lead to the same result.
Can someone give me some tipps ?
The client_credentials flow is not meant to be used in scenario's where you want to identify an end user. In fact the client_credentials grant type is undefined in OpenID Connect. You should rely on the Authorization Code grant as you suggest.
I am trying to implement OpenId Connect for SSO in one of my projects. However, I am a bit struggling with the case where I would like to validate OpenId JWT token on Resource Server side to make it stateless. If user tries to logout, authorization Server will know about the user logout (Accordingly OpenId Connect Session Management spec). But how should Authorization Server tell Resource Server that the user's token is not valid anymore? It is a case when user after log out out goes to Resource Server with his OpenId token and gets access. That is weird and I could not find any solution across Internet. Please help me to organize stateless security with central logout.
You can use Token Introspection endpoint to determine whether the access token passed is valid or not. The resource server can make a call to OP's introspection endpoint to validate the token before giving access to the resource. In order to effectively validate the token, the resource server should :
Be a registered client with OP and have Same / similar Scope as SPA app (Implicit flow app) to validate the scopes passed to it and
Have access to Introspection endpoint
The are more details in the above linked Spec for further understanding.
P.S. The answer that I wrote earlier has some other relevant references.
you can use jwt bearer flow, where you can pass ID token/Assertion token to OP in order to generate access token.
Is it possible to get user details (attributes belonging to the resource owner) from ForgeRock's OpenAM using an OAuth 2 access token?
I have a trusted SPA UI that is able to get an access token from OpenAM using the Resource Owner Password Credentials Grant type. However, that access token gives me no information about the resource owner. The token_info endpoint similarly gives me no information.
OpenAM seems to have endpoints for listing user attributes, but expects a JWT as means of authentication for the request.
How can I get user attributes from an access token?
There is a userinfo endpoint that will return user attributes. In OpenAM 13.0, the data returned by the endpoint is scriptable. In prior versions it is mapped to scopes.
The sample client application is helpful to understand how this works:
https://github.com/ForgeRock/openid