Is there a configuration option in the WSO2 Identity server to define a set of customized claim values for the scope "openid" and to add the current token expiry in seconds. This counter named "expires" could be helpful to track and renew ageing tokens, before they move into an expired state. I currently see the following values returning from the "userinfo" query:
{"phone_number":"+55xxxxxxx","email":"xxxxxx#br.red.com","name":"xxxxx","xxxxxxxxx":"xxxxxxxxx","preferred_username":"xxxxxx","given_name":"xxxxx","country":"Brazil"}
Related
My web app checks for access token expiry from this header value "X-MS-TOKEN-AAD-EXPIRES-ON", and then it invokes the /.auth/refresh endpoint when the token expiry < DateTime.Now.
This has been working until now...
The problem now is that the "X-MS-TOKEN-AAD-..." headers are empty after expiry. Same with accessing the /.auth/me page which shows [].
Is there a change in Azure AD that would have caused this new behaviour?
I have two questions about token usage and their expiry:
1) about user's secret code for application
I need secret code to authenticate. When creating secret code in application it can be defined with expiration one or two years. My goal is application which user installs, sets up, and it can be 'forgotten'. But this expiration could mean that application will start failing after one year, is that correct? User will start to get token errors and he will have to re-setup the application again (generate new secret key and authenticate with it). Can I find out expiration from secret key, so I could set up a notification for user BEFORE it gets expired? I'd like to do that to avoid application stop working just suddenly.
2) client authentication is done in two steps:
one: app client id + client secret key + source + user authentication = code
two: app client id + client secret key + code = token + refresh token
I found that if I do step one and I want to perform step two later then 'code' from step one may be expired. I thought that 'code' does not expire, but I can't find any documentation about that. Is that correct, that step two should be done right after step one?
1) If that is a web service, you could use OAuth 2.0 Client Credentials Grant Flow . In consideration of security , I would suggest you could maintain/update the secret key periodically , the duration of the secret key could be one year or two years . If the secret key is compromised, a new one must be generated and all authorized apps will have to be updated with the new client secret.
2) You could click here for details about how to use OAuth 2.0 to authenticate. In Service-to-Service access token response, you will get the expires_in(How long the access token is valid) and expires_on(The time when the access token expires) information . You should write your code to anticipate the possibility that a granted token might no longer work and request a new one .
I've got an OAUTH2 Authentication Server which set a default TTL (3600s) for every new acccess_token.
But in my opinion the access_token TTL should be different for every Resource Server.
Like for a JavaScript Webinterface it should be 3600s, for an Android App it could be one month.
Who decides how long the access_token TTL should be?
Should the GET access_token request from the Client request a custom TTL?
Should the TTL for every Resource be defined in the Service Configuration (along with client_id, client_secret, App Description, ...) on the Authentication server?
The Authorization Server that issues the token is responsible for assigning an expiry time to it. There's no standardized authorization request parameter that the client can use to indicate the preferred TTL. The Authorization Server decides based on a policy that may be based on the client identifier and the associated/configured "permissions" or "trust", parameters available in the Authorization Request (e.g. scope) and other contextual data like HTTP request parameters, time of the day etc.
I'm currently working on an OpenId Server/Client for demonstration purposes and I struggle to understand the following specification.
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
1) The clientApp sends an request (ajax) to the serverApp in order to obtain a session id
2) The clientApp sends an authentication request (ajax) to the serverApp with
{
response_type : "id_token",
scope: "openid profile",
client_id: "clientApp",
redirect_uri : "clientAppAddress/redirecturi",
state: ???,
nonce: ???
}
There are no optional fields for grant_type, username and password (as in RFC6749: Access Token Request). How can I transmit the credentials?
Moreover I don't understand the concept behind "state" and "nonce". The specification says that nonce's value "needs to include per-session state and be unguessable to attackers. One method to achieve this for Web Server Clients is to store a cryptographically random value as an HttpOnly session cookie and use a cryptographic hash of the value as the nonce parameter.", whereas state is used to mitigate CSRF, XSRF "by cryptographically binding the value of this parameter with a browser cookie". Where is the difference between them and how do they increase security? I would use the hash-value of the sessionid (stored in http only cookie, and transmitted to the client in the first request) for both of them?
The actual method of authenticating the user, thus transporting credentials is not part of the OpenID Connect specification. The OpenID Connect specification merely tells you how to transport information about the authentication event and the user to a peer. The means of user authentication is independent of that.
The state parameter is there to correlate request and response and to share context between request and response. One of the things that you would typically associate with the state is the URL that the user is trying to access, so that after a successful authentication response you can redirect to that.
The nonce parameter is to prevent replay attacks since that value should be cached.
Together they are used to prevent Cross Site Request Forgery where an attacker got hold of the id_token and tries to use it against the RP to impersonate the user in the attacker's browser.
It would be better to use other values for state and nonce than directly derived from session_id since you may want to restart authentication from the same session and then nonce replay prevention would block you from reusing it (and distinguish between you and an attacker). Also state should be non-guessable, so not the same as previously used in the same session.
I have an ASP.Net MVC site secured with SSL and am using System.IdentityModel.Services and am creating the token like this:
SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
SessionAuthenticationModule sam = FederatedAuthentication.SessionAuthenticationModule;
sam.WriteSessionTokenToCookie(token);
When I access the site in the browser, Firebug does not display the expiry date as expected. Instead the expiry date is shown as Session:
Can anyone explain why this is please? I assume that ASP.Net can still see the actual expiry date internally when it reads the cookie? More so, where is the cookie expiration time actually set?
You're mixing two different things here:
Token Expiration is determining until when the token is valid. After that time, even if the token is attached to a request, it is considered invalid and will not be honored. Usually the expiration time is encrypted within the token itself and that means that it's controlled solely by the token issuer.
Cookie Expiration is something that is controlled by the client (your Web-Browser in this case). Once the Cookie is expired it is no longer being attached to the request. But, should the Browser decide to send it, it will work until the Token expiration has reached.
In your particular case, the Token expiration is set to 1 day, but since the Cookie expiration is set to 'Session' it means that if you were to end the session (typically by closing your Browser window) at some point before the Token expires, the Cookie will not be sent and you'll be required to login again.
After 1 day (when the Token expires), even if you're still in session, you're always required to login again.
Update (as per your comments):
Ticket expiration and Cookie expiration can be set separately simply because sometimes the ticket is not necessarily contained in a Cookie. It may be sent to the server using other methods (QueryString, custom HTTP header etc). Yet, indeed the natural thing to do is have them both set to the same expiration time.
This is also the case in your SessionSecurityToken, if you'll set its IsPersistent flag to true you'll notice that Cookie expiration is now the same as the Ticket:
SessionSecurityToken token = new SessionSecurityToken(myClaimsPrincipal, TimeSpan.FromDays(1));
token.IsPersistent = true;