I'm having trouble understanding why only 2-legged authentication is allowed on certain OSS requests (for example GET bucket details, GET all buckets, POST a bucket). Why creating buckets or viewing buckets contents are considered to be application related (and hence just with 2-legged token accessible), but uploading a file to a bucket is user related and can be accessible also with a 3-legged token?
From what I can see here the buckets (OSS) are on the last level, but still, the files are stored there, so in my opinion they are also user related. Can you give me an example of developer's resources (2-legged) vs user's resources (3-legged)?
Thanks,
Paul
Later edit: From what I've read here when the authentication context is app only, one should be able to authenticate also with 3-legged token.
app only: The endpoint accepts either a two-legged or three-legged token, but it will only act on behalf of the app itself, ignoring any permissions associated with the end user.
You can gain access to a bucket with a 3-legged token, but it's a more involved process. There's a guide on the developer portal on uploading: https://developer.autodesk.com/en/docs/data/v2/tutorials/upload-file/
The "storage location" you can access with a 3-legged token is essentially a bucket internally. The only difference is that a bucket generated by the app developer (2-legged) cannot be shared with a user with a 3-legged token. There is some internal capability where bucket access can be granted or revoked but it's not for public consumption yet.
Related
What I want to do is quite simple: provision Office 365 and Azure Account from my Web App. And I want it to be available not only for me but for all the IT Departments (from other organizations too) that logs in my App.
From my understanding the steps I have to take are:
Register App on apps.dev.microsoft.com and get ID And Secret.
Enable the Scopes I'm interested in (in my case Directory.ReadWrite.All and User.ReadWrite.All) -- Enabled from both Delegated Permissions and Application Permissions
Gone through the LOGIN PROCESS
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=[My Client]&response_type=code&redirect_uri=[My Account]/Account/Office&response_mode=query&scope=openid%20User.Read%20offline_access%20Directory.ReadWrite.All
Confirm the code I receive back on my Return URL
POST https://login.microsoftonline.com/common/oauth2/v2.0/token?...secret and so on...
Now what I get is an object with Access Token, Renew Token and so on and so forth.
If I use it to get users, it's all working:
https://graph.microsoft.com/v1.0/users
But when I try to perform other operations the token seems invalid.
For instance:
Get Azure subscriptions (the account is admin of several subscription):
https://management.core.windows.net/subscriptions ==> UNAUTHORIZED
What I'm doing wrong? Is the IDEA behind it correct?
I really need to be done at a "global" level without config manual steps on every subscription or putting in some "TenantID" manually.
You've requested a token with scoped for the Microsoft Graph API which is why you can use API endpoints surfaced by https://graph.microsoft.com/.
The call to https://management.core.windows.net/subscriptions is not part of Microsoft Graph API so you're token isn't valid for that resource. That call is into the Service Management REST API. Authenticating for this API is documented here.
I have a PHP website, say for the purpose of some other users contributing videos to my youtube channel. I have successfully setup OAuth and Google API to upload a video from that website to my youtube channel.
The problem I am facing is, I have to authorize for every session from the website to upload. So when I give the link to someone else and ask them to upload they will not be able to bypass OAuth and upload. (I can't give my credentials).
I went through the PHP documentation for Google OAuth but it wasn't very clear. I am kind of guessing we have to store the token during the initial auth and then use it for further operations, but not able to figure out how exactly to do that. Any help/snippets on how to do this?
The OAuth 2.0 server-side flow, independently from its implementation in the YouTube API, will return two tokens after proper authentication and authorization by the resource owner (= channel owner = you, in this case). These two tokens are:
An access token. It is used to query the API and perform operations (e.g. uploading a video). Access tokens expire over time.
A refresh token. It is solely used to obtain new access tokens when the old one has expired. The refresh token cannot be used to query the API.
As long as the server application keeps track of at least the refresh token (since it can get new access tokens with it at any time), it is able to query the API without the need for consecutive authorization by the resource owner (until the resource owner manually revokes the application's access to the resource).
At this point, anybody who is in possession of a valid access token is able to perform operations on behalf of the resource owner (within the scope that he has given his permission). If you want your users to be able to directly upload to your channel from their own machines, you could theoretically provide them with the access and refresh tokens. This procedure has a few downsides, however:
The API cannot distinguish between you and them. If you can do everything, so can they. Everything they do is your responsibility. That is the main reason the tokens are to be considered a secret.
There is only one valid access token per resource owner per application at any time. If one client uses the refresh token, all other clients will find themselves locked-out and have to use the refresh token again, thus again locking out all the others and so forth. This means that operations can only be performed one user at a time.
The go-to solution is to implement your own authentication mechanism to guard access to your application, which in turn can access your channel. I have no experience with uploading videos with the YouTube Data API v3, so the only way I can think of is that users upload the video to your server which will then forward it to YouTube's upload servers. That of course means that all traffic is routed through your application server, which is obviously not perfect. But that's another matter for another question.
Our team is starting to build out a SMART on FHIR (SoF) application. SoF uses OAuth2 access_tokens to represent authorizations. Our app is using the code grant to get a token (https://oauth2.thephpleague.com/authorization-server/auth-code-grant/).
I'm pretty new to OAuth2 (used to SAML) and have been reading up on the standard. I think we may be conflating what the access_token is intended to represent.
Is the intent in OAuth2 that the access_token represents the permissions the resource owner (end user) has granted to the client (web application) to perform on their behalf?
Or is the intent to rely that the resource owner (end user) is allowed to preform certain operations?
For example say the auth token request has a scope called 'contacts-update'. If we get an access_token back with this scope, does that mean the user has allowed the application to attempt to update contacts (on their behalf) or does it mean that the user has the underlying requirements (they are in the update contacts role) to be able to update contacts?
As you wrote, the OAuth2 access token represents a permission delegation from a resource owner to a client (application), so the client can perform operations on behalf of the resource owner. That's also why there is a consent page - the user agrees on giving the application permissions (scopes) it requested.
Sometimes, people want to use OAuth2 as a central authentication server and a permission configuration for their applications. They want each application to see all permissions the user has configured for it. Then it doesn't make sense for application to ask for specific scopes, but to configure the OAuth2 server to return all relevant for that application (identified by a client_id). But I don't think this is the intended way of usage and the OAuth2 specification doesn't cover this scenario.
OAuth2 can also be used for authentication only, if it supports OpenID Connect extension. Then applications can ask for ID tokens. ID token proves identity of a user and the permissions are handled in each application separately.
I have an api that accesses personal files. I have persons that own a personal file and I have a consultant that can obtain access to view a personal file through oauth delegated access tokens. A person can revoke access to his personal file by revoking the access token. This works fine if the consultant wants to access a single personal file. But how do I make a request where the consultant can retrieve all files he has access tokens for?
I would suggest that the client makes uses a Client Credentials grant to the Authorization Server with a scope that indicates that it wants to get an access token for all currently granted access tokens. The Authorization Server would then consult its database of access tokens granted to the client and issues an access token that represents the combined set of current permissions.
Of course that would requires work on the Client, the Authorization Server and the Resource Server (API) side. There's no "out-of-the-box" solution for it that wouldn't require additional work.
I want to provide a service using the facebook api to third parties. Is it possible for us to share access tokens? If the third party gives my service a user's access token, can I access that users data even if my app_id & secret do not match the app that requested it?
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
Thanks.
-ken
Even that user access token is issued only for one app it can be easily used from any other application.
Example:
Get access token for "Graph API Explorer" application here https://developers.facebook.com/tools/explorer/?method=GET&path=me and make a request - you will see your data.
Copy access token and open other machine|browser and go to https://graph.facebook.com/me?access_token=[access_token] - you still able to retrieve information about your Facebook user!
Here https://developers.facebook.com/docs/concepts/login/access-tokens-and-types/ it mentioned that
Our Data Policies explicitly prohibit any sharing of an Access Token for your app with any other app. However, we do allow developers to share Tokens between a native implementation and a server implementation of the same App (ie. using the same App ID) as long as the transfer takes place using HTTPS.
Regarding:
Is it possible for us to share access tokens?
and,
can I access that users data even if my app_id & secret do not match the app that requested it?
The answer is No. From the specs OAuth2 section 10.3:
Access token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued.
Should I have the users go through a separate oauth flow on my site even if they have already completed it for the other third party?
The answer is Yes. If you're using facebook as authorization server, and you restart the oauth flow again, your user will only need to approve your other app (third party).
Each access token is issued only for one app - it cannot be used with different application IDs.