I am working with Amazon Alexa and facing issue with implementing OAuth2.0 Code Grant implementation with Alexa
I have successfully implemented the Implicit Grant Flow:
I have a AWS Lambda function that is responsible for Generation of JWT when user login in my system
I have a web server login page (https enabled) from where user can login
I have a AWS Lambda function that receive code and generate access_token, refresh_token and end_time
I have a API Gateway(post method) that call code grant lambda function (i have not set ant headers because i don't know with Alexa send headers or not)
for implicit grant its working fine
user select link account from Alexa app
Alexa shows my login page
after user login, my page redirect Alexa to provided url along with access_token
Alexa shows message "linked with skill"
for code grant
user select link account from Alexa app
Alexa shows my login page
after user login, my page redirect Alexa to provided url along with code(i am generating code with JWT)
Alexa trying to call my code grant link but failing here (not even reaching my lambda i dont know about api gateway)
Related
I know that OAuth2.0 is framework using to authorization data request between apps, but to give this access auth server is required. It is my question: who is this server? Let's say: We have two apps: Twitter and Google. I am trying to register Twitter account using Google account. And now where is this auth server? Is it Google? Or maybe it is another third server (managed by Twitter and Google together where user data is?) If it is Google, how Twitter is able to check if user token (generated by auth server [Google??]) is valid?
Thanks
On your first question,
I am trying to register Twitter account using Google account. And now
where is this auth server? Is it Google?
Yes, it's Google. If you're trying to login/register to Twitter via Google, Google is the authorization server. Because, Google has to authorize/delegate access to Twitter to access your data such as your Gmail id, username, etc.
Once you click on "Sign up with Google" button on the Twitter registration page, you will be redirected to the Google login page first (to see if you're an authenticated google user) and then Google would show you a consent page saying that "Twitter is trying to read your profile data, are you okay with this?". Once you click on "Allow" button, Google will generate an access_token, id_token, and refresh_token and pass it to Twitter.
On your second question,
If it is Google, how Twitter is able to check if user token (generated
by auth server [Google??]) is valid?
Twitter is not going to validate the tokens. Twitter can pass the token to retrieve your Google profile information from Google's Resource Server (where all your data reside)
Google's Resource Server is the one that's going to validate the token. It first checks the 'iss' claim of the token to see if the token is issued by Google's Authorization Server. Additionally, it would check for 'aud' to see if the token is issued for them (recipient of the token). Finally, it checks for the 'scope' claim to see if Twitter has the right access to request the data. For eg, they would need to request only read-only access to your profile, but not write access. There could be additional validation depending on the use case.
I hope this answers your questions.
I read about saml and openid connect on the web.
I am trying to implement asp.net mvc project with following requirements.
User logins my website.
User clicks external site link(ex trello.com) and redirected to external site login page.
After sign in a consent screen opens with predefined scopes.User approves and return back to my site.
Id token and access token are received.
To my knowledge, until now you can proceed with openid connect.
However I can't figure out how I can accomplish following requirement with openid connect.
After granting access (previous steps via authorization code flow) whenever user logins my site and clicks external site link, user will be automatically signed on external site. (Like Appdirect and Telstra do)
I know I can implement requirement 5 with SAML but I couldn't find a way to do with openid connect.
This is essentially SSO and SSO works like:
Application A authenticates with IDP X
Application B authenticates with IDP X
When user goes to B, they are already signed on with the same IDP and so they don't see a login screen.
But if user goes to:
Application C authenticates with IDP Y
they will not get SSO.
I am trying to use account linking in my skill. The problem is that the documentation is not clear enough. I have the login screen, it redirects to the amazon redirect uri provided in the URL parameters, I also include the code (btw I'm using Auth Code Grant) and here comes the problem. My script gets the code and the client credentials and generates the two tokens, but what should it do with them? Does their system wait a json response or something containing the two tokens using their names as keys or should I redirect again? What do they mean in the documentation when they say the server should return the access token and the refresh token?
The token response should look like this. I believe the exires_in and refresh_token properties are optional.
{
"access_token": "...",
"refresh_token": "...",
"expires_in": 3600
"token_type": "bearer"
}
https://developer.amazon.com/docs/alexa-voice-service/authorize-companion-site.html#auth-code-grant.
There are multiple threads on this topic from the Amazon Developer Forum I tried the tutorial referenced on a home brew AVS device (RPi3) and it works with no issue (I can get the user name etc. from my Amazon account), although I still can't figure out how to access activity api json within AVS SDK.
Steps in Account Linking(Auth code grand flow):
• User will be redirect to form based login page, used to get the user credentials
• After validating the user credentials and user authorities by your backend security script, it will be redirect the request to authorize endpoint to generate the authorization code.
• Once the request reached the authorize end point, it will validate the client details.
• Once it is validated, user will be redirected to the approval page.
• Once we get the confirmation from the user, your backend security server script need to create the autorization code and need to give it back to the AWS alexa client.
• AWS client will call our access token end point to get the access token and refresh token.
• Once AWS client gets the access token and refresh token, the skill will be linked to the user.
• AWS Alexa client send the access token in every request once the user have linked the skill
Your Problem: AWS client will call your access token end point url along with Authorization code and client credentials, Your back-end script need to validate those inputs and need to create access token, refresh token and send it back to AWS client.Its a POST request from AWS client, you have to return back response to same POST request.
Context:
I am implementing a Single-Page-Application using Auth0's implementation of OpenID Connect Single Sign-On with Google as my identity provider.
Browser is Chrome v59
auth0.logout() below refers to the auth0-js library which is included in my app as a dependency of the auth0-lock library. My webpack config is pinning auth0-lock to v10.18.0.
Problem:
When logging out, if the user doesn't want to be logged out of their Google sign-in session, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080"
});
This works fine, logs the user out of their Auth0 sign-in session, redirects the browser to localhost and the Google sign-in is left intact (user can re-authenticate with my app using Google creds without having to enter login details).
If the user explicitly indicates they also want to be logged out of their Google sign-in session as well, I execute this code:
auth0js.logout({
returnTo: "http://localhost:8080",
federated: true
});
The "sign out" part of this works, the user will be logged out of both the Auth0 and Google sign-in sessions. But the browser ends up being redirected to the Google account page (where google will ask them for their credentials, since they were signed out of their Google session).
Question:
Can anyone provide an idea on how I can force the Google-logout flow redirect back to my app instead of the Google account page? Or is this something that Google is doing on purpose (i.e. there is no way to get Google federated sign-out to redirect to my app)?
Unfortunately, the returnTo URL available for some connection types is not available for Google social connections.
I am developing a REST API with Spring Boot. I have implemented OAuth2 authorization server, so I am able to call my rest API to get a token:
localhost:8080/oauth/token -d "grant_type=password&scope=write&username=myuser&password=mypassword" -u myclient:mysecret
Now I want to implement "Sign up with FB" functionality, so I am thinking about the following flow:
User clicks on the "Sign up with FB" button.
Mobile app app makes a call to FB and gets an Access Token from FB
Mobile app sends this access token to the backend
Backend creates a new user entity and sends back a new access token (together with refresh token) issued by authorization server.
But I am not sure how to implement the step 4. I tried to find an example on internet, but didn't have any luck. Does anybody have an idea how to implement it?
Here is my OAuth2 implementation: https://gist.github.com/osgafarov/8530464d25895512862a3d1f6013170e
Many thanks!
I understood that you need to signup using fb. but its not suggestible that using the credentials flow, instead that you can use the Implicit Flow.
When user clicks on SignUp using FB Button mobile app Should open embedded browser (SFSafariViewController) and it will open the authorize end point.
when user clicks on approve or Okay the Browser redirects backs(Implicit flow) and closes the Browser View. here you will get the accesstoken in the URI.
Post that AccessToken to your Backend and Obtain the User Information from Facebook from that accesstoken.
Then insert that data into UrDB(in Backend) and return the response to ur client App.
https://5ecfdd32d0a3264463ba-8110a1171af36b468f9bd61da395ee26.ssl.cf2.rackcdn.com/blog/Screen%20Shot%202015-06-22%20at%206.42.07%20PM.png