OAuth 2.0 has the following grant types (flows):
authorization_code
implicit
password
client_credentials
refresh_token
Then which of these flows does Swagger support?
OpenAPI/Swagger supports the four OAuth flows defined by RFC 6749. The keywords and the corresponding OAuth 2 flows are:
accessCode (OpenAPI 2.0) or authorizationCode (OpenAPI 3.0) - authorization code flow.
implicit - implicit flow.
password - resource owner password credentials flow.
application (OpenAPI 2.0) or clientCredentials (OpenAPI 3.0) - client credentials flow.
Related
I was working on a project which uses Jwt tokens for authentication and authorization, now I have a new requirement in which I have to use Oauth 2.0 for security purposes and SSO.
I wanted to know is there a way out to convert my Jwt written code to use Oauth 2.0
What is the difference between oauth 2.0, auth0 and wso2? I saw some related post where are explained, more or less well, what are the differences between oauth 2.0 and auth0 but ws02 is not included in the explanation.
OAuth 2.0 is a widely used specification for authorization aspects of resources: https://oauth.net/2/
Auth0 and WSO2 Identity Server are two identity providers (IAM solutions). Both support OAuth 2.0.
Auth0: https://auth0.com/docs/protocols/protocol-oauth2
WSO2 IS: https://is.docs.wso2.com/en/latest/learn/working-with-oauth/
I want to use these APIs from backend:
https://apiexplorer.docusign.com/#/esign/restapi?categories=Authentication&tags=Authentication&operations=login&mode=basic
The problem is from where I can get the bearer token in Backend?
The DocuSign /RESTAPI/v{2, 2.1}/ login, updatePassword, revokeOAuthToken, getOAuthToken API methods are obsolete and should not be used for any application.
Instead, use the DocuSign OAuth2 flows to obtain Bearer tokens:
Authorization Code Grant
JWT Grant
Implicit Grant
Recommendation: use libraries for the OAuth flows. See the eg-01-*-jwt example repos for the JWT Grant flow and the eg-03-*-auth-code-grant example repos for Authorization Code Grant. The example repos are on https://github.com/docusign
The examples are also discussed on developers.docusign.com
I have done a sample application using Sprint Boot, Spring security and JWT and define my custom authentication & authorization filters. While performing basic authentication (passing username & password) I get JWT token in the format of xxxx.yyyy.zzzz where xxxx is header, yyyy is payload and zzzz is signature and each part is encoded using Base64URL encoder. What I do not understand is how JWT is different from OAuth 2.0. In OAuth 2.0, we can pass 2 types of grant_types as either 'username' or 'client credentials' & also needs to pass client id, secret id to get access & refresh tokens.
Please assist to clarify my following doubts:-
1) Is JWT lighter than OAuth 2.0 as it does not contain the refresh token but just access token?
2) Is JWT cannot be used to make a standalone authorization server like we can make a standalone authorization server using #EnableAuthorizationServer annotation when it comes to OAuth 2.0. Is my assumption correct?
3) JWT does not accept client id/secret client but just used as basic authentication to get bearer tokens?
4) Is the format of access token (or bearer) for both OAuth2.0 and JWT are different?
I have seen an example where both OAuth 2.0 and JWT were used. OAuth 2.0 was to make authorization server which returns JWT token only in the end but did not understand why JWT was used if OAuth2.0 can return a token by itself.
Thank you
JWT is a JSON-based token defined in RFC 7519. OAuth 2.0 is an authorization framework defined in RFC 6749. Comparing both is like asking "How Glucose is different from Apple Pie?".
However, it is possible to bring OAuth 2.0 and JWTs together as is defined in RFC 7523 – The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. It standardizes, how to use JWTs as bearer tokens within the OAuth 2.0 framework, which enables what I call stateless authentication.
Regarding your questions:
Whether or not you use JWTs as bearer tokens does not influence whether or not you want to hand out refresh tokens.
Not sure whether I get your questions. However, using JWT allows you to do decentral, stateless auth decisions as there is no necessity to store token state centrally. However, nobody prevents you from having a standalone authorization server.
How you want to do authentication has nothing to do with JWT. It is still OAuth 2.0.
In OAuth 2.0 bearer tokens are considered to be opaque tokens – the format does not matter. If you use JWTs as bearer tokens, you need to follow the corresponding RFC.
I want to know what the best scenarios for using OAuth 2.0 JWT Bearer Token Flow.
I found some info about thit OAUTH 2 flow here.
The OAuth 2.0 JWT bearer token flow is similar to a refresh token flow within OAuth. The JWT is posted to the OAuth token endpoint, which in turn processes the JWT and issues an access_token based on prior approval of the app.