In FIWARE Keyrock, using oauth2, how to I change the duration of the tokens from the default 3600 seconds?
I tried to change keystone.conf - [token] - expiration, with no success. I already get the information that oauth2 is not original from Openstack Keystone project, so that is the reason this configuration does not work.
Related
I'm requesting an access token via Azure AD, using the address:
https://login.microsoftonline.com/{TenantId}/oauth2/v2.0/token
The token returns correctly, however, the default lifespan of the token is 1 hour. Looking at the Microsoft documentation, there doesn't appear to be a parameter I can pass to request a token with a custom lifespan.
Is it possible to request a token with a short(er) lifespan?
Yes, you can configure your Azure Active Directory token lifetime minimum 10 minutes.
You could use following power-shell command to create your token lifetime policy.
$policy = New-AzureADPolicy -Definition #('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"02:00:00","MaxAgeSessionSingleFactor":"00:10:00"}}') -DisplayName "WebPolicyScenario" -IsOrganizationDefault $false -Type "TokenLifetimePolicy"
For more details you could have a look these official docs.
Note
Configurable token lifetimes in Azure Active Directory is now in (Preview) which is not recommended to use on production
Does anyone know what the expiration period of an OAuth Access Token on GitLab is?
It's at least 12 hours (from experience), but I would like to know for sure so I don't refresh the token unnecessary.
PS: GitLab ... it would be very convenient if the expiration is simply returned when getting/refreshing token (PS: the documentation states that "expires_in": is returned ... BUT IT ISN'T)
from https://forum.gitlab.com/t/missing-expires-in-in-the-token-response/1232/2:
Gitlab uses Doorkeeper for oauth.
The Doorkeeper wiki has an ariticle "Customizing Token Expiration" > https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-Token-Expiration2
This wiki tells us a configuration "access_token_expires_in". I > searched in gitlab source code and found it sets to nil.
This meas the 'access_token' will never expire.
Also, this is from https://gitlab.com/gitlab-org/gitlab-foss/-/blob/50d66f5ece57dcfbe074d97703691a8d3c38f4ac/config/initializers/doorkeeper.rb#L42:
# Access token expiration time (default 2 hours).
# If you want to disable expiration, set this to nil.
access_token_expires_in nil
On GitLab, OAuth "access tokens expire in two hours".
Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.
In older versions, OAuth applications could opt-out of access token expiry.
The ability to opt-out of expiring access tokens was deprecated in GitLab 14.3 and removed in 15.0. All existing integrations must be updated to support access token refresh.
2016: It should be 8 hours by default:
lib/gitlab/o_auth/session.rb mentions:
Rails.cache.write("gitlab:#{provider}:#{ticket}",
ticket, expires_in: Gitlab.config.omniauth.cas3.session_duration)
In gitlab.yml, you have:
# SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
# cas3:
# session_duration: 28800
2022: the Expiring access tokens documentation mentions:
no more opt-out of expiring access tokens since GitLab 15.0 (June 2022)
Access tokens expire in two hours which means that integrations that use them must support generating new access tokens at least every two hours.
I have two questions about token usage and their expiry:
1) about user's secret code for application
I need secret code to authenticate. When creating secret code in application it can be defined with expiration one or two years. My goal is application which user installs, sets up, and it can be 'forgotten'. But this expiration could mean that application will start failing after one year, is that correct? User will start to get token errors and he will have to re-setup the application again (generate new secret key and authenticate with it). Can I find out expiration from secret key, so I could set up a notification for user BEFORE it gets expired? I'd like to do that to avoid application stop working just suddenly.
2) client authentication is done in two steps:
one: app client id + client secret key + source + user authentication = code
two: app client id + client secret key + code = token + refresh token
I found that if I do step one and I want to perform step two later then 'code' from step one may be expired. I thought that 'code' does not expire, but I can't find any documentation about that. Is that correct, that step two should be done right after step one?
1) If that is a web service, you could use OAuth 2.0 Client Credentials Grant Flow . In consideration of security , I would suggest you could maintain/update the secret key periodically , the duration of the secret key could be one year or two years . If the secret key is compromised, a new one must be generated and all authorized apps will have to be updated with the new client secret.
2) You could click here for details about how to use OAuth 2.0 to authenticate. In Service-to-Service access token response, you will get the expires_in(How long the access token is valid) and expires_on(The time when the access token expires) information . You should write your code to anticipate the possibility that a granted token might no longer work and request a new one .
I just started using WSO2 IS version 5.0.0 with SP01 installed. I have configured a relying party and I am attempting to use the Open ID Connect/ Oauth 2.0 protocol in order to authenticate my users using a read-only LDAP.
The documentation states that we can control the expiry time of in the following XML configuration tags found in PRODUCT_HOME/repository/conf/identity.xml
<!-- Default validity period for Authorization Code in seconds -->
<AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod>
<!-- Default validity period for user access tokens in seconds (default: 3600) -->
<AccessTokenDefaultValidityPeriod>60</AccessTokenDefaultValidityPeriod>
<!-- Default validity period for application access tokens in seconds (default: 3600)-->
<UserAccessTokenDefaultValidityPeriod>60</UserAccessTokenDefaultValidityPeriod>
<!-- Validity period for refresh token -->
<RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod>
<!-- Timestamp skew in seconds -->
<TimestampSkew>300</TimestampSkew>
<!-- Enable OAuth caching -->
<EnableOAuthCache>true</EnableOAuthCache>
I have set both the AccessTokenDefaultValidity and the UserAccessTokenValidity to be 60 instead of 3600 but it seems that the WSO2 IS application does not expire them in the time that is set.
Also I am using the PASSWORD grant type to create the Access Token.
To test this I am using a Java client written to contact the server and send the username and password. This works fine as it generates the access Token.
This is the response from the WSO2 IS server (minus the id_token for security):
{"scope":"openid","token_type":"bearer","expires_in":0,"refresh_token":"a3699846516d7c39c24fea76171bd41", "access_token":"88286cb21f3a9888945eb806f8abcef"}
I think the expires_in is wrong because it says 0 seconds, in otherwords my generated tokens should expire immediately. Based on my configuration I would expect it to say 60 seconds.
After waiting approximately 1+ minute, I can still use the access token to get my id_token and therefore the protected claims again, even though it should be expired as per the xml configuration.
Note: I am not using WSO2 IS APIM, this is only for the IS product.
Thanks for your time
Questions:
1) What's the best way to integrate OpenID Connect authentication into a webapp that uses Spring Security for authentication?
2) Is there any way - either from the MITREid side of things or the Google Accounts side of things - to get the MITREid OpenID Connect authentication filter to work with Google's OpenID Connect service?
I'm sure answers to these questions will be useful for any developer that uses the Spring Security OpenID module to authenticate with Google.
Detail:
My webapp uses Spring Security's OpenID module (<openid-login .../>) for authentication with Google Accounts as the Identity Provider. ie., users authenticate using their Google Apps or GMail email address.
Recently, whenever users authenticate, they receive this warning message from Google accounts:
Important notice: OpenID2 for Google accounts is going away on April
20, 2015.
So Google is dropping support for OpenID, will turn it off completely in April 2015, and states that you must switch to the OpenID Connect protocol if you want to authenticate with Google Accounts.
I was hoping Spring Security would have built-in support for OpenID Connect, just like it has built-in support for OpenID. e.g. something like an <openid-connect-login .../> element. But my searches have turned up no such support.
The best candidate I've found so far is MITREid Connect . It includes a Spring Security authentication filter named OIDCAuthenticationFilter for OpenID Connect. The problem is, it does not interoperate with Google's OpenID Connect implementation.
I tried cloning the MITREid simple-web-app and configured it to authenticate (using OpenID Connect) with Google Accounts. But it did not work because it depends on a nonce which Google's OpenID Connect implementation does not support. The error message from Google accounts was:
Parameter not allowed for this message type: nonce
Next I tried plugging my own implementation of MITREid's AuthRequestUrlBuilder interface into the MITREid configuration. The only difference between my implementation and MITREid's implementation was that I did not send the nonce.
Not sending the nonce made Google's OpenID Connect implementation happy but MITREid threw an exception when it couldn't find a nonce in the Google authentication response. The error message was:
Authentication Failed: ID token did not contain a nonce claim
I tracked the MITREid exception down to these lines in MITREID'S OIDCAuthenticationFilter:
// compare the nonce to our stored claim
String nonce = idClaims.getStringClaim("nonce");
if (Strings.isNullOrEmpty(nonce)) {
logger.error("ID token did not contain a nonce claim.");
throw new AuthenticationServiceException("ID token did not contain a nonce claim.");
}
But there is no way for me to extend MITREid's implementation to ignore the nonce. So close but yet so far! If Google Accounts would accept the nonce or MITREid could be configured to ignore the nonce then we'd have a solution.
Within the MITREid Connect issues list on github I've found others have run into these similar issues:
1) #726 - Documentation on using client with Google as authentication provider
2) #704 - Add a useNonce attribute into ServerConfiguration to indicate if the IdP accepts the nonce value into its requests.
So I am stuck. Come April 2015 Google will shutdown Open ID authentication.
Some relevant links:
1) https://support.google.com/accounts/answer/6135882
2) https://www.tbray.org/ongoing/When/201x/2014/03/01/OpenID-Connect
3) https://github.com/mitreid-connect
4) https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/OIDCAuthenticationFilter.java
5) https://github.com/mitreid-connect/simple-web-app
6) https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/PlainAuthRequestUrlBuilder.java
7) https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/726
8) https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/pull/704
2015-02-18 Update
Functionality has recently been added to the development branch of mitreid-connect for disabling the nonce - therefore making Google's OIDC server happy. Thankfully, mitreid-connect has also provided some guidance on interoperating with Google .
Unfortunately the "nonceEnabled" change is not yet available in Maven central but hopefully that will change soon.
AFAIK, there is no clean and easy Spring Security migration from OpenID to OpenID Connect authentication. Implementing OpenID authentication with Spring Security is straight-forward using the well documented <openid-login/> but there exists no analog for OpenID Connect.
The MITREid alternative is still on a development branch and unavailable at Maven Central and therefore not a candidate.
In the comments, Chuck Mah points to How to implement Openid connect and Spring Security where Romain F. provides the sample code.
Romain's sample code pointed me in the right direction. Given time is running out, I went with romain's approach, which was to write a custom Spring Security AuthenticationFilter that uses spring-security-oauth2 to query the oauth2 api userinfo endpoint (for Google that's https://www.googleapis.com/oauth2/v2/userinfo). The assumption is that if we are able to successfully query the userinfo endpoint then the user has successfully authenticated so we can trust the information returned - eg the user's email address.
When i first started learning about OpenID Connect the “id token” seemed to be the central concept. However, browsing the spring-security-oauth2 source code, it appears to be ignored. This leads to the question, what’s the point of the ID token if we can authenticate without it (by simply querying oauth2 userinfo endpoint)?
A minimalist solution - which i would prefer - would simply return a validated ID token. There would be no need to query the userinfo endpoint. But no such solution exists in the form of a Spring Security authentication filter.
My webapp was not a spring-boot app like romain's. spring-boot does alot of configuration behind the scenes. Here are some of the problems/solutions I encountered along the way:
problem: HTTP Status 403 - Expected CSRF token not found. Has your session expired?
solution: java config: httpSecurity.csrf().disable()
problem: HTTP Status 500 - Error creating bean with name 'scopedTarget.googleOAuth2RestTemplate': Scope 'session' is not active for the current thread;
solution: java config: OAuth2RestTemplate does not need to be session scoped (OAuth2ClientContext is already session scoped and that's all that's necessary)
problem: HTTP Status 500 - Error creating bean with name 'scopedTarget.oauth2ClientContext': Scope 'session' is not active for the current thread;
solution: web.xml: add RequestContextListener
explanation: because the oauth2ClientContext session-scoped bean is accessed outside the scope of the Spring MVC DispatcherServlet (it is being accessed from OpenIdConnectAuthenticationFilter, which is part of the Spring Security filter chain).
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
problem: org.springframework.security.oauth2.client.resource.UserRedirectRequiredException: A redirect is required to get the users approval.
solution: web.xml: Add filter definition immediately PRECEEDING springSecurityFilterChain
<filter>
<filter-name>oauth2ClientContextFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>oauth2ClientContextFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Unfortunately, OpenID Connect does not allow us to request only email scope.
When our users authenticated using OpenID they would see a consent screen like "webapp would like to view your email address" with which they were comfortable. Now we must request scopes openid email resulting in a consent screen asking the user to share their entire public profile with us ... which we really don't need or want ... and users are less comfortable with this consent screen.