How do you create a snapLogic REST Account for Yahoo OAuth2?
I'm able to get the Request Authorization part to work but after I authrozie the application, snapLogic does not have the Access token populated
Here are the settings that I used to successfully establish an OAuth connection with yahoo using the explicit grant flow (https://developer.yahoo.com/oauth2/guide/flows_authcode/)
Depsite the parameters that yahoo outlines in their documentation, the snapLogic REST Account object does not need you to explicitly define all of those parameters. Here are the parameters that I defined to get Authorize and Refresh token to work.
Related
I am having a difficult time getting a Microsoft Graph API call to work. Specifically, I am having a hard time with the authentication process working. I followed the directions in this article
http://martink.me/articles/using-microsoft-graph-in-logic-apps
However, when I make the api call of https://graph.microsoft.com/v1.0/me/messages/{id}, I get the error:
Current authenticated context is not valid for this request. This occurs when a request is made to an endpoint that requires user sign-in. For example, /me requires a signed-in user. Acquire a token on behalf of a user to make requests to these endpoints. Use the OAuth 2.0 authorization code flow for mobile and native apps and the OAuth 2.0 implicit flow for single-page web apps.
I then added an oAuth token call to get a token. Then I used that token in the Authorization header when making the Microsoft Graph Api call. I still get the same error.
Can anyone provide guidance on how best to make an Graph Api call in LogicApps? Do I only need the authentication discussed in the article? Or, do I need to call the Graph Api with an Authorization token? Do I need to make an oAuth authorization call before I make the oAuth token call?
This exception is caused by the token acquired using the client credentials flow. In this flow, there is no context for /Me.
This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user(no user logged in).
For your problem, you are using client credential flow and you are granting application permissions, so you should request /users.
GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/messages/{id}
A newbie question about API security:
When I applied API service from some API providers, usually I just login and generate an api key or token in their api management site. After that I can embed this api key or token in the request to access the API.
I was told that the this is OAuth 2. But, after reading a few articles about OAuth 2, it seems the OAuth-2 token issued from OAuth server will expire and a refresh-token is required to fetch a new token.
But the API keys I got from those API providers does not mention about the expiration, instead, I can manually revoke the API Key on their API management site.
So, if I have some APIs which I want to use the similar way (let the user manage their own api key on my site) to protect, how can I achieve that by using the OAuth 2 server?
I think what you explained above are 2 different ways to authorize a request:
A. Using API Keys
These API keys are usually a long string that you generate inside a dashboard
You as a developer would usually have 1 API key throughout your app, and you append this API key to requests to the API provider
B. Using OAuth 2.0
OAuth 2.0 uses a different kind of token to authorize requests, it usually involves a short-lived access token and long-lived refresh token.
These tokens are usually for Users, each user will have a different token that expires every X days.
To acquire a token, the user has to "log in" to your site or an Identity Provider's site (like Google Accounts) and enter their credentials every time the token expires.
Here's a picture to show the difference:
If you want to provide an API service for other developers:
Use OAuth 2.0 to log in the developers to their dashboard (this means your server routes that interact with the dashboard would be protected by the OAuth 2.0 tokens, requiring the developer to log in to update some settings)
Use API Keys to access your provided API routes. Developers have to log in and generate API keys from the dashboard. Then they can use this API key to fetch resources from your API.
Here's a more thorough explanation about OAuth 2.0, access tokens, and how to implement it on your site.
I am working on creating an OpenID Connect (OIDC) Provider based around django-oidc-provider. I have been reading up on the OpenID Connect Spec, and I cannot figure out how access tokens are unique for a certain application.
Consider the following example with a user, Bob:
Bob wants to login to application A, so he goes to its interface and is redirected to the OIDC Provider. After authentication he is redirected (implicit flow) back to Application A with an ID token and an access token. He then makes a request at "/image/1" to A's API with his access token. The API uses the access token to reach out to the OIDC Provider to assert the user's identity as Bob. The API then returns the data at "/image/1" for user Bob, assuming that info exists. Bob continues to send his access token to A's API for any subsequent requests.
Then, Bob decides he wants to access application B's API. He sends B's API the same access token that he used with A's API. B's API reaches out to the OIDC Provider with the token and asserts the user's identity as Bob. B's API then returns the requested info for Bob.
What prevents this from happening? I see at least two possible solutions to this:
When reaching out to Google's token validation endpoint the "aud" parameter is returned. Application B's API would have to check this parameter to decide that the token is not valid for it's own API?
An additional scope must be added when requesting the token that is specific to the resource provider say "app-A-api". Then when an API is validating a token, the API would ensure the token contains the needed scope.
Which of these methods, or others, are in line with the OIDC spec?
If one of the above should be used, am I correct in assuming I should add a new /tokeninfo endpoint that returns the scope or aud, rather than add that info to the info returned at the /userinfo endpoint?
Any input is appreciated. I think a lot of my confusion comes from not seeing the "scope" param being used to delegate access to a resource provider in any OIDC examples.
I think the thing you are missing is that the application A and its API are two separate applications. So the tokens are issued for the application A. If the app-A-api uses the access token just for the user authentication, it's better to use an ID token - it can be validated without accessing the OAuth2 server. In this scenario, the app-A-api manages its user permissions by itself.
If the app-A-api needs the token to get a list of scopes (permissions) of its client, then use the access token. But in this scenario, the app-A-api (and app-B-api) are just accepting the access token - they are not the target audience (aud attribute) of the token. The application A is the audience of the tokens.
The APIs just check whether the access token contains scopes relevant for them. They trust the token issuer and it's up to the users to decide whether they trust the application A to perform actions on their behalf.
As an example, if a JavaScript application C (app-C) uses just Google Drive and Google Plus for its actions, then app-C will ask its user for an access token with scopes belonging to Google Drive and Google Plus. It will be just one token and both Google APIs will accept it.
And about the tokeninfo endpoint, it has it's own RFC called OAuth 2.0 Token Introspection, so you can check it.
We are setting up a OAuth 2.0 via PingFederate in our organization. The scenario in question is as follows - We have a website in which the customer would be logging in using user name and password. There are are also links within the site to redirect the customer to a partner site. The partner site would be securely passed some basic information via SSO payload.
The partner site would also need to be able to call back to our Apis (call made in the background) to get additional information about our customer which they will then use to display on their site.
Our Api’s are currently setup to be accessed via access token which the consumers of the Api get by following the Authorization Grant flow.
In the partner redirect scenario we want partner site not go through the Authorization code flow when it makes the Api call because the customer would have already logged into our site to start with using their credentials but instead when we redirect to the partner site provide it securely (SSO payload) the access and refresh token which it can then use to make the Api calls ?.
Is there a grant type that I can invoke telling my authorization provider (PingFederate) that I trust the customer based on the information that he has already provided now give me access token and refresh token and then redirect using that information (None of the grant types that I am aware is able to support it - does Ping OAuth setup support a flow wherein I can say I trust this customer give me access and refresh token )?
It sounds like you'd be combining SAML and OAuth to meet your business need. While it's not defined as a standard grant type, one potential solution is to include an Access Token in the SAML Assertion attribute payload so the partner application can then make calls without going through additional redirects. PingFederate does offer the ability to do this by using OGNL to create an access token in the attribute contract fulfillment. An example of how to do this is in our SDK documentation: https://www.pingidentity.com/content/dam/developer/documentation/pingfederate/server-sdk/9.3/index.html?com/pingidentity/sdk/oauth20/AccessTokenIssuer.html
If you need more guidance on selecting the right OAuth grant type, we have information on our developer portal that covers this. Please refer to: https://www.pingidentity.com/content/developer/en/resources/oauth-2-0-developers-guide.html#get_token
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2