I am trying to implement LinkedIn OAuth2 via Javascript. However, unlike other networks who have oauth2.0, I cant find a way to get implicit grant here.
Is there a way to do it like done with Yahoo and Outlook.com? Or I must always first get Code, then token as mentioned here (https://developer.linkedin.com/documents/authentication)?
Thanks.
According to Andrew Dodson (author of the hello.js library for OAuth communication - hence IMO an authority on the subject)
LinkedIn only support the explicit flow at present.
(as of 2014).
More details here and here
Related
after trial and error it seems to me that Google OIDC does not support the code flow without supplying the client secret:
https://developers.google.com/identity/protocols/oauth2/native-app#exchange-authorization-code
According to the latest best practices for SPAs (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-13), code flow + PKCE is the recommended way to handle authentication. Is anyone aware of any trick required to make Google's code flow accept the code_challenge rather than the client_secret? Perhaps a dummy secret?
As of August 2020 the best practices document cited is still in draft and being activly updated - head revision here: https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/. Googles' OAuth2 implementation has not yet applied the "work in progress" recomendation of PKCE being applied to web applications. SPAs are still directed to use the implicit flow in Googles' online documentation: https://developers.google.com/identity/protocols/oauth2/javascript-implicit-flow).
The standard for PKCE (https://www.rfc-editor.org/rfc/rfc7636) details that it was developed as a mitigation for authorisation code interception attacks found on mobile platforms and was originally recommended for implementation by native clients. Google's documentation for "Mobile and Desktop apps" does direct developers to use a PKCE Authorization Code flow. Clients using Google Android, iOS or windows store credential types with PKCE may omit the client_secret (see the note on the refresh token parameter table - and confirmed by Cristiano).
It is now recognised that PKCE eliminates the need for any public clients to store a client secret, and as such can be used to deprecate the implicit flow which always had the flaw of including returned access and identity tokens in a redirect URI. https://developer.okta.com/blog/2019/05/01/is-the-oauth-implicit-flow-dead.
The draft IETF document states in section 2.1.1 that this recognition is likely to become a published standard.
Hopefully Google will update its implementation to remove the requirement for a client_secret for a PKCE token request when the best practices becomes accepted. In the meantime it seems we have no choice but to continue writing SPAs using the implicit flow.
A good alternative IMHO consists in using Keycloak as IDP and then adding Google to the delegate identity providers of your Keycloak instance (and then Facebook and then any other idp if required). Keycloak implements the PKCE flow or whatever flow in the Oauth 2 RFCs in a reliable way. That means you need a hosted instance of Keycloak though.
Well, I'm using openId Connect authorization code with pkce without using client_secret in an android app using this lib: https://github.com/openid/AppAuth-Android.
I just had to ensure that the custom scheme was set using the app's package name from the manifest and use it to register the android credential on google console.
I have successfully enabled a plugin to work with Azure AD . And based on the documentation I can find, Twilio encourages the idea that if you wanted to communicate from React JS app to custom APIs , then you can do so. The problem I see is that Twilio sort of ignores the fact that when communicating to those APIs from the client app, authentication must be in place between custom apis and react plugin app
How are people unifying the authentication between the Auth that takes place at the UI later and subsequent requests that are mare to backend apis? Can we reuse the token?
Within the https://www.twilio.com/console/flex/users/single-sign-on I see
Does this mean OAuth support is coming? Where can I post this question to increase the likelyhood of receiving some indicators as to which protocols are going to be supported in the near future? If twilio flex team is in fact working on adding OAuth support, I would imagine it would only benefit them to let the community know, especially those with existing microservices and OAuth based flow already preconfigured.
Ive added a issue here hopefully to get some response on this question.
https://github.com/twilio/twilio-flex-token-validator/issues/13
Twilio developer evangelist here.
This is related to the SSO tokens used within Twilio Flex.
You can re-use the token to authenticate your plugin. To do so, you'll need to validate the token from your plugin. You can do this by sending the token to the https://iam.twilio.com/v1/Accounts/{AccountSid}/Tokens/validate endpoint.
This endpoint is currently undocumented and not available within the Twilio helper libraries, which is why you have found it hard to find guidance on this, but here's how you use it.
You need to make an authenticated POST request, using your account sid and auth token (or an API key and secret) to the URL: https://iam.twilio.com/v1/Accounts/{AccountSid}/Tokens/validate
The body of the request should be JSON and contain one key, token, with the value of your SSO token.
The result will be in JSON and if the token is valid will have a key of valid set to true. If it is not, there will be a message field you can read to find more information.
If you are using Node.js, you are in luck as there is a module you can install to do all of this for you; the twilio-flex-token-validator. For more detail on making calls to the validation endpoint, you can check the source code of twilio-flex-token-validator. There is also a tutorial on how to make calls to plugins from Flex that gets to securing the plugin about halfway through.
Sorry it took all of this to get to this answer and it's not the greatest answer. Please let me know if this helps and how you get on.
Wonder if someone can clarify this for me
I'm using ADAL js to log in an angular7 application via the implicit flow.
This works by sending the response_type=id_token
What happens with this response type is that the Authorization endpoint is hit and I should get back an ID token
However I appear to be getting a bearer token back, Azure microsoft login redirects me to http://localhost:4200/#access_token=xxxxxxxx&token_type=Bearer
What I was expecting was this token returned would be an ID Token not a bearer token, it does behave correctly like a Bearer token when I call the back end APIs.
ADAL.js doesn't appear to let me request "id_token token", which is the following:
I'm sorry I started reading the spec as it's confused my understanding of an application that's working, but i'd certainly appreciate if someone could shed a little light on what azure actually does with it's implicit flow, it only mentions id_token in the docs and make no reference to 'id_token token' response type
if anything, Azure AD appears to be more inline with reponse_type=token
tnx in advance,
Brian
Azure AD V2.0 Endpoint
Microsoft Docs: v2.0 Protocols - SPAs using the implicit flow
It clearly mentions that for OpenId Connect,
request must include response_type=id_token (which you're already sending)
scope=openid which was probably missing and got resolved after implementing the flow using MSAL library (as described by #brianbruff in comments).
Also, Allow Implicit Flow should be enabled for App registration.
Sample request from docs
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=id_token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=openid
&response_mode=fragment
&state=12345
&nonce=678910
Azure AD V1.0 Endpoint
Microsoft Docs: Understanding the OAuth2 implicit grant flow in Azure Active Directory (AD)
Even here, documentation clearly says that id_token can be obtained when using OpenID Connect.
I must say though, that I am not completely sure on recommended/correct implementation to get id_token in case of implicit grant flow with v1.0 yet. (At least #brianbruff is able to use v2.0 and resolve his problem.)
I see that another Microsoft Docs link for OpenID connect with v1.0 (but not Implicit grant flow) mentions the usage of scope=openid. Although, right at the bottom of this page I see open issues where users contradict the documentation in some way and have given feedback specifically for Implicit Grant flow.
Issue 17140
Issue 19382
Many of OAuth providers host "userInfo" pages which are used by clients to fetch display names and identifiers etc. This endpoint is hit after code generation and exchange for a token. Spring boot requires this endpoint when configuring an OAuth client. For example
Google: https://www.googleapis.com/oauth2/v1/userinfo
Facebook: https://graph.facebook.com/me
I want to implement this for our own OAuth provider. Implementing it is not a problem, but I need to define what I'm implementing. I've looked all over and read a ton of specs but cannot find where this behaviour is described.
Does anyone know what specification this is part of?
Google conforms to OpenID Connect: http://openid.net/specs/openid-connect-core-1_0.html#UserInfo Facebook doesn't conform to any open specification, they're doing their own thing; it just happens to look similar.
Greetings!
I have some troubles enabling OAuth authentication for my web
application running on Ruby on Rails. I am using authlogic and
authlogic_oauth and that is, in the end, using OAuth gem and therefore
I decided to ask here. So shortly:
I succesfully "register" (i.e. obtain the first Access Token for the
user) but then, whenever I try to "login", I receive a differenct
access token for the same Google Account, the Authlogic-oauth plugin
fails to find the user and the login crashes. Maybe I don't understand
it right but is not the AT supposed to be the same every time. And can
it be a problem that I am accessing Google from http://localhost even
though the Customer keys are for different domain?
anyway, thanks for any reply ... I spend already 2 days with that
issue and debugging doesn't seems to lead me anywhere
Jakub
PS: I sent that question on Google Group oauth-ruby - sorry to anyone reading both channels
The AT is supposed to be different every time. OAuth is not an authentication protocol, it is an authorization delegation protocol. Try using OpenID instead: http://code.google.com/apis/accounts/docs/OpenID.html
Twitter does not give out different tokens which allows OAuth to be used as an authentication mechanism. LinkedIn doesn't do that meaning you may only use OAuth as an authorization protocol (which is what it was intended to do).
However, there is a useful API for pulling in data from LinkedIn. Of particular interest could be the Profile API.