I am trying to generate a OAuth Token for OneDrive by using Postman. I just wanted to ask for clarification as to what the Auth URL, Access Token URL and scope would be?
I have tried it with:
Auth URL: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/common/oauth2/v2.0/token
Scopes: wl.signin
However, I keep getting an error around the scope is not correct. Just for sanity check are these the correct settings?
Please refer to https://dev.onedrive.com/auth/msa_oauth.htm for full documentation of the possible auth flows, scopes etc.
auth URL: https://login.live.com/oauth20_authorize.srf
token URL: https://login.live.com/oauth20_token.srf
Valid scopes can be:
offline_access
onedrive.readonly
onedrive.readwrite
onedrive.appfolder
Documentation of the OneDrive API in general, including the above link, can be found here: https://dev.onedrive.com/README.htm
From the Auth/Token URLs, it looks like you're trying to use the unified consumer / work OAuth 2.0 end point for Microsoft Graph. The wl.signin scope isn't a valid scope for that end point. That scope is only available for the Microsoft Account (consumer only) authentication.
With those URLs, you'll want to use the User.Read scope, which grants you the ability to sign-in and read the signed in users basic profile. Additional scopes available on that end point are documented here: https://graph.microsoft.io/en-us/docs/authorization/permission_scopes. Since you mentioned OneDrive, you'll probably want to include Files.ReadWrite as one of your scopes as well, so your app can access the user's OneDrive files.
Related
I'm trying to add the Doorkeeper plus devise with google and facebook user authorization on API!
I followed this post https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization
And this:
https://naturaily.com/blog/api-authentication-devise-doorkeeper-setup
To start with, both remove the oauth_applications table.
I've done as the tutorials but I'm getting this response:
response_code: "doorkeeper.errors.messages.unsupported_grant_type",…}
response_code: "doorkeeper.errors.messages.unsupported_grant_type"
response_message: "The authorization grant type is not supported by the authorization server."
state: nul
So I would like to know if is necessary the oauth_applications table and set the clients to authorize.
Articles you've mentioned uses Resource Owner Password Flow, i.e they are authenticating the user via credentials to give an access to a resources with an access token. See the configuration option:
grant_flows %w[password]
In such case yeah, you don't need applications (clients which will interact with the API). But if you want to show an authorization window for your customers you should use Authorization Code Flow (from your response I see you're trying to invoke exactly this flow).
In section 5.4 of the OIDC spec (https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) it says “The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints.”
As I read this, it seems straightforward, if you have any permissions which an API should respect, the you put them within the “scopes” claim of an access token.
However, both Auth0 and Okta put a users permissions within a custom claim. In Auth0s case, it puts a users permissions within a “permissions” claim and in Oktas case, they put them within a “groups” claim of the access token.
Because both of these identity providers put the permissions as a custom claim, it makes me think I am reading the spec wrong. Does anyone have thoughts or can clear up when to put permissions in a custom claim vs putting them in the scopes claim?
Scopes tend to be a high level permission such as 'read / write' or which API(s) the token can be used against. Claims are what your API needs to identify + authorize requests. Not all claims are included in access tokens. My write up here may help you to understand your choices:: https://authguidance.com/2017/10/03/api-tokens-claims
The difference here is the scopes for the token vs the permissions for the user. Some auth0 users will add users permissions in a custom claim to do things like gate content. The scopes in the token are explicitly describing what the token has access to.
This doc shows an example of the access token with scopes:
https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis#compare-the-tokens
Here is an example of adding permissions to a token via a custom claim (id token in this instance):
https://community.auth0.com/t/how-do-i-add-user-permissions-to-id-token/28611
I would like a JWT access_token to contain a list of security group. From reading the documentation I attempted setting "groupMembershipClaims": "All", in the manifest of my application regostraton.
The setup is that I have a azure ad domain with 2 users. Then I have 2 groups: [user, admin] Each user has one of the groups assigned to it. Each group is of type security.
I am attempting to perform the OAuth Code flow manually, by going to the url formated similar to this:
https://login.microsoftonline.com/<tenantid>/oauth2/v2.0/authorize?client_id=<application-id>&response_type=code&redirect_uri=http://localhost:8080&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
Then I login using the user account I setup in azure ad. Then I use postman to submit a post request to https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token with parameters:
client_id = <client-id>
code = code from previous login,
redirect_uri = http://localhost:8080
grant_type = authorization_code
scope = user.read mail.read
I get a valid response back, with an access_token. However when I decode it there is no group claim listed at all.
How can I get the groups listed in the token?
According to my research, Azure AD v2 endpoint of Azure Active Directory does not yet support groups claims in its token. For more details, please refer to the document. If you want to get all groups one user belongs to, you'll need query the groups from Microsoft Graph API. You can find the API documentation here:https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0.
If you use the app to access own API, in order to get group claim in the access_token, you need to configure the groupMembershipClaims value as you want in the API manifest, then you could get the group claim information in the access_token.
But if the access resource is MS graph API or Azure AD graph API, you could not configure for them, you could only use the openid connect to get the id_token, and then you could see the group claim in the id_token. In your flow, you could add openid in the scope, then you could find the group information in the id_token.
I tried oauth2 code flow in the postman:
And it returns the access_token and id_token. To parse the id_token, I get the group information:
I'm trying to obtain Auth Token using following tutorial:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
The important thing is that I'm not providing the "Resource" parameter. According to the documentation it's optional.
I am able to obtain the Authorization Code, but when I try to use it to get the Access Token I'm getting:
AADSTS50001: Resource identifier is not provided
According to the documentation Resource param should only be required if it was specified in the request for Auth Code. With Resource param it works fine, but I need to implement it without it.
In the orignal OAuth 2.0 specification, there is no resource parameter in the authorization request. It use scope parameter. The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter.
Based on my understanding, when Azure AD implement the OAuth 2.0(1.0 endpoint), the resource is used to specify the access_token you request for which resource. And the Azure AD will issue the token which the scp based on the permission you config on the portal for the resource.
And in the v2.0 endpoint, the Azure AD also use the scope to support the dynamic permission request. More detail you can refer here.
Make sure you have registered the application redirect uri in Azure AD. The redirect uri on the request needs to match the one registered on the identityprovider.
Request: authorize?client_id=<id>&scope=<scope>&response_type=id_token token&redirect_uri=<uri>
Hello kind people of the internet.
Does Google OAuth2.0 support an OAuth-flow for a Resource Owner Password Credential Flow?
...and if so, then:
A.) can this type of OAuth flow be tested on the Google OAuth2 Playground?
B.) are there any examples of the "Resource Owner Password Credential Flow" with Google OAuth2.0 and the Google APIs?
Per an OAuth presentation recently in Oslo NDC 2013, this subject flow apparently skips the authorization end point all together and directly talks to the token end point of the OAuth2 server. The request syntax incantation would supposedly look something like this:
grant_type=password&
scope=resource&
user_name=owner&
password=password&
My understanding is the Resource Owner Password Credential Flow is for trusted applications in a back-end enterprise type of situations (where a name-password pair could be securely stored).
This particular OAuth flow would require no end-user consent interaction (no pop-up of a browser to Accept, then get a returned authorization-code, etc). In this subject flow the access & refresh token are directly returned, again: with no end-user interaction (albeit after an entry of a username-password).
Looking through the Google OAuth documentation ( link to Google OAuth2 docs ) there does not seem to be any mention of anything resembling Resource Password Credential Flow, but not sure that necessarily means it is explicitly not supported by Google.
Any help or advice would be much appreciated.
thanks in advance
Dear kind internet person,
it is true that Resource Owner Password Credential Flow is not supported on Google but google suggests you use the Installed Application Flow, which is described in: https://developers.google.com/accounts/docs/OAuth2InstalledApp.
You would need to create an Installed Application in the Google Console (https://code.google.com/apis/console), when you do that you can fetch the client_id and build a GET request with the parameters, which would look like so:
https://accounts.google.com/o/oauth2/auth\?
scope\=<scope>\&
redirect_uri\=urn:ietf:wg:oauth:2.0:oob\&
response_type\=code\&
client_id\=<client_id fetched from google console>
You would construct this URL and navigate to it on your browser, allow access for the app and google would give you what I believe is a code which you can use to get credentials. You can use those credentials to get an access token and refresh it, and this credentials is permanent. There's a good example of that on github. Note that you only need to get those credentials manually once, and then you save those credentials somewhere and keep using them to get/refresh tokens.
Hope this helps!
As far as I know, No. The OAuth 2.0 stuff is for Google accounts, for which Google does authentication.