Implementing OAuth for Desktop application - oauth

For a desktop application, how can I get the access token by participating directly in the OAuth flows.
I don't want the user to go through browser and provide me the access token.
Secondly, how can I know what are the users the application is authorized by
and how the application can know if it is authorized by somebody and what is the access token for the same ?

"how can I get the access token by participating directly in the OAuth flows."
By storing a refresh token in your server
Secondly, how can I know what are the users the application is authorized by
The user can only authorize your app with your app's involvement. So you simply need to store a each authed user in a list
and how the application can know if it is authorized by somebody and what is the access token for the same ?
By attempting to do an auth with force-approval = false; If he is authed, you'll get an access token. If he isn't, he'll be prompted for auth.

Related

How to revoke access/refresh token on microsoft graph API

I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.

Multiple Applications SSO oauth2

I am trying to figure out how to perform single sign on with OAUTH2 on two different applications. Currently according to my understanding I can use the Authentication Provider in order to authenticate my clients. The procedure is the following:
The client is redirected to the Authentication Provider
Then the client is loggedin and has the code
The client provides the code to my application
The server uses the code in order to retrieve the access token.
Using the access token my server uses the remote API to retrieve information
Now I have a second application in a different backend (PHP) that I want to inform that the user is already loged in via the OAUTH. My naive solution is to provide the access token of the first application to the second application in order to perform the authentication. However, I understand that I am not allowed to share the access tokens between apps.
Every backend service should validate the access token via introspection. The only introspection guarantees that the token is valid, not expired or revoked.
So you have to pass the access token to the Backend service. To secure that you can use HTTPS API.
You are correct regarding not sharing the access token. The Authentication Provider should also allow creating an ID token. You would configure your second application with the authentication provider and get a client id. Both the client id and ID token are required to sign in the second app which will generate it's access token.
What grant type are you using?
Both apps need to redirect the user:
In the first app the user will authenticate and the app will get an access token scoped to that app.
In the second app the user will be automatically signed in without needing to reauthenticate. The app will then get a separate access token, generally with different privileges to that of the first app.
This is standard SSO behaviour and it is best to accept it. Usability is pretty good. Trying to share tokens is not advised unless you have advanced requirements.

How to protect an API using Azure Active Directory, App Registrations and Enterprise Applications

I have an backend API in an Azure Website that I like to protect using Azure AD.
As I understand it I'll first do an App Registration, use information registration as part of the sign in to get a token back to the client.
I can then send that token to the API and validate the token in the backend API to verify it.
But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?
I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?
Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?
Or is there another way of doing this?
But don't that token give access to all resources in the subscription? How to I restrict the App Registration to only be allowed to access that specific API? And not also another API in the subscription?
A token only gives access to the API identified by the audience (aud) claim in the token.
Nothing more.
So if your client app asks for an access token to your API, that token is only valid on that API.
I also like to have a set of users that are allowed to access the API. If I'll just allow everyone to log in using the App Registration, everyone that's in my AD will receive a token back?
Can I somehow use a Enterprise Application to restrict access to the API only and only allow a set of users?
Yes.
You can find the enterprise app (service principal) for the API, enable Require user assignment, and then assign the users/groups you want to have access to the API from Users/Groups tab of the enterprise app.
Access token acquisition will then fail for users who are not assigned.
If you are using the same app registration for both the client and API, then you have to remember that you should acquire an access token regardless to call the API.
Don't use the id token.
Also in that case, a user who is not assigned to the app will fail login.

Getting an Access Token for back-end server use

I need to get an access token for my server to user without a user having to authenticate.
I do this for DropBox and want to do it for OneDrive.
I have a service that needs to save files in its own OneDrive acct and then also copy some files to users' accts.
For the user we will authenticate with either the Token or Code flow. However, for the server I just want to have access token. In DropBox you get the access token on the App Settings page, but I can't figure out how to do it for Graph
Assuming you're talking about OneDrive Business, it sounds like you want to get an app-only token. Such a token will require a tenant administrator to consent, but after that it can access the service without any user.
If you're talking about OneDrive Personal the scenario isn't possible - all tokens are required to have app and user claims, and therefore require to sign in.

Rails: obtain user access token usign facebook app without logging user

Situation description:
I need to dynamically download reviews from an Facebook page to display them on my site. For testing purposes I'm using a page access token generated from the user (page admin) access token (using Graph API Explorer). Unfortunately this token is short lived.
As stated in the Graph API documentation (https://developers.facebook.com/docs/facebook-login/access-tokens) to obtain long lived page access token I need to use long lived user access token. To obtain long lived user access token I need to post a request using short lived user access token and my FB app credentials.
To automate the whole process for the admin of my site I want to obtain his user access token and then process it in the way to obtain a long lived page access token (I created an app specifically for this use).
My question is: how can I make a call that asks a user for permission to 'manage_pages' and returns short lived user access token? I don't want it to have anything to do with my site registration and login process, I'm not using Oauth, I'm not logging users via Facebook. I want user to type his FB credentials, grant my app his 'manage_pages' permission and that's it. I'd like it to be as similar to 'Get Access Token' feature in Graph API Explorer (https://developers.facebook.com/tools/explorer).

Resources