I'm trying to obtain Auth Token using following tutorial:
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-protocols-oauth-code
The important thing is that I'm not providing the "Resource" parameter. According to the documentation it's optional.
I am able to obtain the Authorization Code, but when I try to use it to get the Access Token I'm getting:
AADSTS50001: Resource identifier is not provided
According to the documentation Resource param should only be required if it was specified in the request for Auth Code. With Resource param it works fine, but I need to implement it without it.
In the orignal OAuth 2.0 specification, there is no resource parameter in the authorization request. It use scope parameter. The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter.
Based on my understanding, when Azure AD implement the OAuth 2.0(1.0 endpoint), the resource is used to specify the access_token you request for which resource. And the Azure AD will issue the token which the scp based on the permission you config on the portal for the resource.
And in the v2.0 endpoint, the Azure AD also use the scope to support the dynamic permission request. More detail you can refer here.
Make sure you have registered the application redirect uri in Azure AD. The redirect uri on the request needs to match the one registered on the identityprovider.
Request: authorize?client_id=<id>&scope=<scope>&response_type=id_token token&redirect_uri=<uri>
Related
I'm learning about the OAuth /introspect endpoint as a means to validate an Access Token. I'm using Okta, which I think is relevant to the question.
I've read online that the /introspect endpoint is intended to be called by an OAuth Resource Server (for example, an OAuth Client would call a Resource Server, providing an Access Token, and the Resource Server would call the /introspect endpoint to make sure the token is valid).
However, the /introspect endpoint (at least with Okta) requires you to provide the OAuth Client credentials (either as a basic auth header, or in the case where there is no client secret, just a client_id request param).
So, how can the Resource Server call the /introspect endpoint when it doesn't have the OAuth Client ID and/or secret? This is making me wonder if the /introspect endpoint is meant to be called by the OAuth Client instead, which to me, doesn't seem as useful.
Please refer to this article. Resource server needs to be a registered client application at Okta and client credentials in /introspect refer to this client's.
Based on my understanding the introspection endpoint is meant to be called by an API resource.
This endpoint is used by the API resource in order to validate the bearer token provided with an incoming HTTP request issued by a client application.
Most of the times this happens when the provided bearer token is a reference token, so the API resource server needs to known whether the provided reference token is associated with a valid access token. This information must be asked to the secure token server via a call to the introspection endpoint.
You can find more information here in the identity server docs. Identity server is a .NET implementation of the openid connect protocol, which is based itsel on oauth2.
This is a documentation that shows you how to call the introspection endpoint programmatically. This documentation is specific for a .NET library called identity model, but this is not relavant for your question, because the library simply implements the protocol.
As you can see in the example of the linked documentation, the client id that you need to specify when you call the introspection endpoint is simply the name of the API resource. The client secret is the API resource secret that you have defined for your API resource.
So, the source of your confusion is simply a terminology overload. In the context of the call to the introspection endpoint both of the following equations hold true:
client id == API resource name
client secret == API resource secret
This docs confirm both of my assumptions.
If it helps here are a few resources of mine, to add to Enrico's answer:
API Setup - see step 6 - you have to register an OAuth Client for the API
API OAuth Messages - see steps 16, 17 and 19 for the three types of response your API needs to deal with
API Code - for an example implementation in NodeJS
I have 2 registered apps in Azure AD - one is a webapi that receives a webhook from SendGrid with an access token. The other is the registration of the SendGrid app so that it can request a token using Client Credentials grant. Admin consent has been granted for the exposed API to the SendGrid app registration.
In SendGrid's webhook configuration on their server (the service is in beta), we are asked for client_id, client_secret and token endpoint. We also configure the web api resource url that it will eventually send the token and its webhook data.
In Azure identity platform, Scope is required but in the RFC it is optional. SendGrid does not configure nor send the scope. So these implementations appear not to be able to work together.
2 questions:
If you do not send a scope to some other RFC compliant token endpoint, presume this means the requester can be authorized but the jwt has nothing for audience?
If according to the RFC scope is not required, can the resource server check "this was meant for me"?
I understand we can validate the issuer and any extra claims but it seems odd that one of the validations that is emphasized most in Azure AD, Auth0 documentation etc is "audience" yet the RFC allows the scope to be missing in the token request. One of the answers here again emphasizes this requirement.
I wondered if a scope could be configured in the client app registration manifest if it is missing in the request but could not find anything that looks like that.
Thanks in advance for insights.
I'm not sure if this will fix your issue, but have you tried on the app registration with the expose an api configured, under it there is a authorized client applications section, try adding the other app registration id in there. I have anecdotally seen that even without requesting the scope, it will return that scope in the token.
I have a SPA where the user authenticates in ADFS and the application gets an access token. I am trying to use JS code to simulate the functionality of ADAL JS where a hidden iframe is used to make a request to ADFS to get the new token.
This is the 'src' value of the iframe:
https://../adfs/oauth2/authorize?client_id=...&response_type=id_token&redirect_uri=...&prompt=none&domain_hint=...&login_hint=...&nonce=...
The ADFS is configured with two realms: AD and ADLDS (LDAP). Because of this I am not sure what values I need to pass on domain_hint & login_hint parameters for a user in ADLDS.
The request fails with message:
https://....html?client-request-id=...#error=login_required&error_description=MSIS9621%3a+Unable+to+handle+the+OAuth+authorization+request+without+getting+user+input.
The ADFS event viewer shows this error:
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthNoPassiveException: MSIS9233: There are multiple identity providers found for OAuth Authorization request with prompt set to none. Unable to complete home realm discovery.
Is this functionality actually supported in ADFS 2016? Any idea as to what am I doing wrong?
The prompt=none request parameter says that you want to pass the process the /authorize request without user interaction. But during its processing, there is something that needs user interaction - the server probably doesn't know which identity provider to choose, so it returns the error. If you make the same request just by pasting the /authorize URL to your browser without the prompt=none parameter, the server will probably give you a possibility to choose a provider.
You wrote you would like to get an access token, but your /authorize URL contains response_type=id_token. If you want an access token, the parameter should be response_type=token (see RFC).
Looking at the Azure doc, the domain_hint request param is supported of OpenID Connect, so your request scope parameter should contain openid value. It's also necessary for getting an ID token (if you want it).
So here is a case:
I have identity server, client application and resource(API). Identity server provides user info on the endpoint http://identityserver:8080/connect/userinfo. If you send a request with valid access token you will get additional information about user. If I need this information on the resource how would I get it. I have two ideas:
Get the user info with client. (Client send request on userinfo endpoint and obtain information and then send it with request calling API.)
Resource API create a request on userinfo endpoint itself with access token. Problem here is that if I want to get token value from token store it is not supported information (Java Spring), so basically I do not have access token on resurce server.
I understand that userinfo endpoint is basically resource so my question is how to proceed if I want to get resource from another resource with keeping all best practice around OAuth2 and OpenID connect.
The solution is to use a different grant type. The most suitable is the Client Credentials. An identity server is needed to register a new client id and secret which can be used to exchange access token for API.
The access token is (I assume) available to your API so you can simply pass it on to other APIs (e.g. the userinfo endpoint) assuming the token contains the correct scope.
I'd recommend creating your own abstraction that makes it possible to get the raw ambient token used in the current request so you can then use it to call other APIs.
I have a Java Adapter on my MobileFirst Server. I want to obtain an access token from the server in order to call the Adapter-API functions.
I have successfully done this with Postman using "Basic Auth" by giving Username and password (which I had defined in the MFP console before that) as parameters.
Now I want to get a token by using OAuth 2.0 as Type. How can I do this? I do not see any settings for that in the MFP console
You can access the /token endpoint only with Basic Authentication option. /token endpoint does not support accessing with OAuth token instead of Basic Auth .
The approach you are taking is to access Adapter endpoints from non-MFP SDK methods ( REST clients, Curl etc) .
When using non-MFP SDK clients, you need to execute the steps manually
create a confidential client for the scopes you require
Invoke the /token endpoint to obtain the token - here you will need to pass on Basic Auth to invoke the endpoint and also the scopes you need
Once you have the OAuth token, you will need to manually add the Authorization header to further requests and add the Bearer Token as the value.
if you are new to mobilefirst, and want to refer to sample programs for accessing a protected resource via OAUTH, you can refer samples
For a protected resource access via OAUTH, Please refer to samples https://www.ibm.com/support/knowledgecenter/en/SSHS8R_8.0.0/com.ibm.worklight.dev.doc/dev/c_oauth_custom_resource_request_samples.html
More securitycheck adapters samples for various user scenarios can be found here https://mobilefirstplatform.ibmcloud.com/tutorials/ru/foundation/8.0/authentication-and-security/