I am playing around with oauth2 using auth0. I that I am able to send simulate the implicit flow using a REST client. My problem is that I am able to get the user details without a consent screen being popped up. The flow is as follows
1. I send the username, password, and client Id.
2. Get the access token
3. Send the request asking for user information using the access token in step 2. Here I get the response back with the user details, however there is no consent screen, popping up to the user to grant access. Istn't this like a flaw?
Related
I attempted to ask this question before, but after some research, I have distilled down and reworded the question a bit better.
Two things about our set up:
We have a Connected App for pulling data from the chatter_api.
We have an Auth Provider (OIDC) in Salesforce.
During our app's oauth authorize flow, if the user is not logged into Salesforce, a login screen is presented. That's expected behavior, of course, but we want to be seamless and skip the login if possible.
In our scenario, most of the time, the Salesforce user session will not yet exist. But the user WILL be logged in at our Auth Provider. Login screen even shows "Or log in using: <our Auth Provider>". My question is, can we somehow configure our authorization flow to automatically attempt SSO and skip the login screen (assuming successful SSO)? Any other ideas?
Try to do it in another area,not in connected app. Setup->My Domain, scroll down to login options and leave only the SSO checkbook.
From now on navigating your branded login page (mycompany.my.salesforce.com) should auto redirect you to your Auth provider (and if you have valid session - back to sf). You'll still be able to use sf username & password on generic login page (unless you blocked it in My Domain) and by "hacking" your way to the mycompany.my.salesforce.com?login url
I have implemented a google oauth signup.
I can request the tokens with the code provided when the user clicks login via google.
However, the tokens only include the refresh token the very first time that the user signs up/logs in.
All later attempts to get tokens with the auth code only return an access token, but not a refresh token.
I have to manually revoke the app permission in the user's google settings in order to force a new permission prompt which provides me with a new refresh token.
Is there some way to request a refresh token with the auth code? I.e. not just during the first login.
I found the solution. The refresh token is only sent with the response when the consent screen is shown to the user. This only happens during the first login and once the user grants the permission the screen will not be shown anymore.
However, it is possible to force show the consent screen, which results in the refresh_token being sent.
You can do this by adding
prompt=consent
to the oauth url.
or if you use the php api you can set it like this:
$client->setApprovalPrompt('consent');
I am working on integrating Outlook's calendar REST API with my personal system.
Using the authorization code grant flow, I am able to get a user to login to an application that I have registered in https://apps.dev.microsoft.com. Once a user has logged in successfully, I receive a code on my redirect URL. Using the code, I fetch his bearer token (basic oAuth code flow).
Now, the confusion is with their documentation. They have 3 types of API, o365, outlook.office and graph. I am using their graph API for the calendar resource.
I'm using https://graph.microsoft.com/v1.0/me/calendarview to fetch events from the primary calendar, https://graph.microsoft.com/v1.0/me/events to create events in the primary calendar and https://graph.microsoft.com/beta/$batch for batch requests.
There are some scenarios that I want to cover here. When a user changes his/her outlook password, I need the user to re-login to the app so I can use a valid bearer token. From outlook documentation, it looks like the refresh token becomes invalid as soon as the user changes the password (search for refresh tokens become invalid); which means, at the worst case, I can use the bearer token for an hour (default) to authenticate the API's.
Is this normal of an oAuth flow? I always thought the bearer token would become invalid when a user changes the password.
Since I am working in an organization, I want my application to only be accessible by AD users in my organization.The application manifest has a field called availableToOtherTenants, which is defaulted to true. I changed the field to false so that only the users belonging to the organization AD can access it. But it looks like I am able to login to the application with my personal outlook account as well; in spite of this change.
What am I doing wrong here? Am I doing the right this by registering
an application in https://apps.dev.microsoft.com?
The normal flow for OAuth2 as described in this SO reply is as follows:
Send API request with access token
If access token is invalid, try to update it using refresh token
if refresh request passes, update the access token and re-send the initial API request
If refresh request fails, ask user to re-authenticate
This is all well and good for most API calls, but I wonder one thing: Authentication.
When a user attempts to sign in to my fancy new webapp using their favourite service, should I use their refresh token (or cached access token in the case of OAuth1) to attempt a sign in, or should I always go and get a fresh token from the service provider (Google, Facebook, etc) and discard the stored access and refresh tokens?
User authentication and OAuth 2.0 are two different things. The difference is explained in detail in: http://oauth.net/articles/authentication/. Even when building user authentication/SSO protocols on top of OAuth 2.0 - which is what OpenID Connect does and some vendor-specific implementations - the refresh_token still always applies to the access_token not to the user authentication event or identity token.
You can not use a refresh token on its own to refresh a user's login session since some interaction with the user (may be active, may be passive) through the browser is required to confirm that the user is (still) present.
To refresh a user's login session you will always have to redirect to the identity provider and get fresh authentication information. Note that that interaction will probably also give you a new refresh token that could be used to refresh the access token.
I am in the process of designing an app that is supposed to let you login using either a username/password combination or facebook login. We have a custom OAuth server that uses user credentials to authenticate users. Now, the question is how to add facebook into this.
As I see it now, when the user wants to login with facebook, the client does all the work and gets the access token in the end. But how do we let our server know that this access token is a good one (and corresponds to a user in the database)? To me it seems like our OAuth server should be able to handle this as well, and I'm just missing the how.
OAuth supports different scenarios (flows). Client-does-all-the-work is so called "implicit" flow.
In your case it would be better to use authorization-code flow and extend your OAuth server. You put a "Facebook" button on your login page and instruct Facebook to redirect to a new special page on your OAuth server. Delivered authorization code then can be exchanged to the access token inside of your OAuth server and the server may issue its own session and tokens based on this.