I am using oAuth Model to access Podio API. I am able to generate the Access Token and Refresh Token using a pair of Client ID and Client Secret.
Later when i tried to authenticate using previously generated Access Token and Refresh Token with new pair of Client ID and Client Secret then getting Following Error Message:
{"{\"error_propagate\":false,\"error\":\"invalid_grant\",\"error_description\":\"Invalid refresh_token\",\"error_detail\":\"different_client_id\",\"request\":{\"url\":\"http://api.podio.com/oauth/token\",\"query_string\":\"\",\"method\":\"POST\"}}"}
When i tried to authenticate using same Pair of Client ID and Client secret that was originally used to generate the Access Token , it Works.
My Question is: Can we use different Client ID and Client Secret to authenticate through Access Tokens that were generated using different Client Id and Secret.
I hope i have clearly described my question.
No, access tokens are tied to a specific client and secret. Allowing access tokens to be used with other clients would be a security hole.
Related
My current auth server doesn't support OAuth 2.0 and I'm trying to set up a new auth server. But I don't need a replacement, I just want to pass the token to my new auth server so it can give access token to a third-party application.
I've been reading many documents about OAuth2 but none of them mentioned how is the access token generated. All of them only said once the user submitted their credential to the authorizaURL, it will verify and send back a code(auth code grant) or an access token(implicit grant).
The problem is, how does the auth server generate that token and how does the resource server verify this token? And how do these two servers bounded together?
Thank you in advance : )
I'm trying to secure my endpoint using open Id connect. Currently there is only a mobile app client. With Google as the Identity provider, I have Id_token and access_token.
My question is can I use this access token returned as a part of authentication to authorize user to access my endpoint?
If yes, Is there a way to validate the access token within my server?
Or Should I create an access token for the user and store the same, so that when the user requests, I will check in the DB/Redis ?
OpenID connect is an Authentication layer on top of the "Authorization" framework OAuth 2.0. So the Access Token is the "Authorization" for the OAuth Client to access the resource.
Perhaps this post may help.
As #jwilleke mentioned, OAuth2.0 doesn't specify a way in which an access token can be validated with Authorization server.
Hence the approach that I took was to verify the JWT Id token by checking the signature of it and storing the access token returned along with it.
I've seen these questions about using Postman in order to invoke Google's API with OAuth 2:
Using Postman to access OAuth 2.0 Google APIs
Could not obtain Google oAuth 2 token on POSTMan
and many more, but they all have client ID and client secret.
For the 'Save to Android Pay' API, all I got is a .p12 key and an issuer ID. I also have Service Account Email Address but defiantly no client id or secret. I think I also have the Auth URL but I'm not sure: https://www.googleapis.com/auth/wallet_object.issuer
Looking in the Save to Android Pay API, doesn't say anything about a client id so I'm really not sure how I'm supposed to obtain a token in POSTMAN with what I have.
So my question is: giving a .p12 key, an issuerId and a Service Account Email Address, What do I need to fill in POSTMAN OAuth 2 fields:
Token Name, Auth URL, Access Token URL, Client ID, Client Secret, Scope (Optional), Grant Type
To obtain OAuth 2.0 client credentials, you need to register an application to the Google API Console as specify in the basic steps and then you'll get a client ID and client secret.
I'm trying to understand what each string in the Oauth 1 scheme does.
As per my understanding, the consumer key and consumer secret are used to sign a request to the api, from the calling application, and the access_token and access_secret pair are used as a proxy for the user's login credentials.
Am I right in my understanding?
Not quite. The consumer key is a value that identifies the client application that is being used to access the user resources, and the access token is the value that provides the authorization to access those resources.
A combination of the consumer secret and token secret are used to sign the request which provides verification that the request is being sent by an authorized party.
You can read more about the definitions of the oauth 1.0a spec here.
I am using client credentials flow using Spring OAuth2. The DefaultAuthenticationKeyGenerator stores the access_token in memory for me. However if I run multiple client instances from different hosts and make the /oauth/token client_credentials grant request, I get the SAME access token. So all client instances with the same (client id and client secret) get the same access token. So I must be misunderstanding something fundamentally. Is there a way to have each instance of my client receive its own unique client credentials flow access token with it's own expiration period ? The reason I want this is so I can authenticate the client itself before a user account has been created. After the user account is created I can use the user resource password grant flow to get a user specific access_token.