It may not be good to ask this question here, but even after doing a lot investigation I did not found which public api supports OAuth 2.0's "Resource Ownder Password Credential" flow.
We are building Generic REST client and want to know if there is real life example for this flow.
Thanks,
Rahul
Related
As far as I understand, applications that we can login with our different accounts use OpenID Connect(A profile of OAuth2.0).
OAuth is for Authorization and OIDC is for authentication(It has ID Token-User Info Endpoint).
So, was it not possible to login to an application from another application account using OAuth before OIDC? (If possible, how?)
If plain OAuth can't be used for authentication, what is/was it used for?
I mean what does it do with 'authorization' exactly?
What does it get from the resource service with the access token?
I have always found the jargon around this unhelpful so I understand your confusion. Here is a plain English summary:
OAuth 2.0
Before OIDC apps used OAuth 2.0 to get tokens, and this involved optional user consent. The process of getting tokens was termed 'delegation'.
In practical terms though all real world OAuth 2.0 providers also included authentication in order for their system to be secure. How authentication was done is not defined in OAuth specifications.
OAuth is primarily about protecting data, where scopes and claims are the mechanisms. These links provide further info:
IAM Primer
Scope Best Practices
Claims Best Practices
OIDC
This just adds some clearer definition around how authentication messages before and after authentication should work:
A client simply includes an openid scope to use OpenID Connect
A client may force a login during a redirect via a prompt=login parameter
A client may request an authentication method via an acr_values parameter
The client receives an ID token (assertion) once authentication is complete, can digitally verify it if required, then use the information in it (eg a user name)
OIDC still does not define how the actual authentication works though.
Use them together
Pretty much all OAuth secured apps (and libraries) these days use both together, so that the authentication and delegation both use standards based solutions. It gives you the best application features and design patterns for doing the security well.
I am creating new product. for that I have to use available security features. should I use Oauth2 or Json web token? which is better and in which situation these should be used?
I think you may find your answer in using org.apache.oltu.oauth2.
https://www.programcreek.com/java-api-examples/?api=org.apache.oltu.oauth2.client.request.OAuthClientRequest.AuthenticationRequestBuilder
You can see an implementation for oauth and openID here oauth server and resource server
Just to explain what they are,
oauth server creates the tokens
resource server uses that token and processes it to give you the requested data
You can also go through the following docs to understand what they mean and how to implement them,
sample implementation in java , oracle tutorial on the concept of tokens
If you want to do google API auth then you can go through this
I also found this stackoverflow link which is sort of similar question and has shared few of similar links. You should check that out as well.
I am novice to how oauth2 with JWT works But must to learn it in short time :) After reading bit I draw a conclusion abstract of its work as this.
now I have two question in my mind.
(1) Is my way of understanding of how OAth2 work is fine ?
(2) As far as I know after step 6 (diagram) no further request to authorization server. Then,anyone(intruder) know the token witch given by auth server can communicate to the web API and obtain unauthorized access.how does is not possible.
(I know that token not alter by intruder since then web api new that but without altering it still intruder can communicate to web api)
I know I have miss something please kindly show me where I have missed ?
You have to take security measures to protect your token from being stolen. This is no different than preventing session-id from being stolen in session based authentication.
Anyone with access to a valid token is by definition an authenticated user, no matter how the token was retrieved.
Whether your web API communicates with the authentication system directly is not relevant.
I am trying to understand in what scenarios I should be using oauth. From reading the spec, I understand that you are essentially delegating identification to a 3rd party.
So if we take the example stackoverflow's login page you get
Oauth2 is being used for google and facebook, how do I determine what stackoverflow is using (when entering username and password directly)? Would that also be oauth 2? If it is using oauth, how would I go about understanding which flow they use?
Your question is a little unclear but what I think you're asking is if SO or some other site uses oAuth for all their authentication schemes. They could. If they using oAuth with user password authentication when you authenticate, the response you get back should have an Authorization Token and a Refresh Token in it that you would then use to authenticate on each successive request. Hope this helps. oAuth isn't a technology it's a protocol on how to do authentication in a better way.
See what is the request URL when you click to log in with gmail...
https://accounts.google.com/ServiceLogin?passive=1209600&continue=https://accounts.google.com/o/oauth2/auth?client_id%3D717762328687-p17pldm5fteklla3nplbss3ai9slta0a.apps.googleusercontent.com%26scope%3Dprofile%2Bemail%26redirect_uri%3Dhttps://stackauth.com/auth/oauth2/google%26state%3D%257B%2522sid%2522:1,%2522st%2522:%2522e35d652c26ae7fad9b61f6176cc93f2eb9bbb240c32231bc95f8270176d7a5d5%2522,%2522ses%2522:%252291fdf487240d4fa38576f780ad448f55%2522%257D%26response_type%3Dcode%26from_login%3D1%26as%3D-8520e47ae71bbb4&oauth=1&sarp=1&scc=1#identifier
Does that auth2 means oauth 2 ? I think so
UPD: As I understand OAuth mechanism is supported by 3-rd part. SO could use their own oauth for direct enter, or standard auttentication. It is up to SO.
To keep it short and easy:
If you want to add authentication to your application and you want to leave some security heavilifting to big companies like Facebook, Google and Stackoverflow it is generally a good idea if you do not know precisely how to handle such a delicate task and/or you are not using a specific Auth tool / framework.
On the other hand, from the user perspective, the application will be far more user friendly (just one click authorization instead of a painful registration).
If you want a much more detailed technical explanation I suggest you to read this other Stackoverflow post:
OAuth 2.0: Benefits and use cases — why?
Does OpenId support a two way exchange of tokens at any place in the spec? Specifically allowing both parties to share tokens with each other in some way so they can share services with each other?
I've looked through the spec, but can't see anything detailing any scenarios like this.
An app I'm working on has integrated itself with a trusted OpenId provider, we'll call Acme.
We'd also like to provide access tokens and refresh tokens to Acme, as they'd like to access features of our service as well.
It seems natural that during our interactions to get tokens from Acme, that we'd like to expose tokens to them.
Is this part of the spec in any way? Or is the only way to do this is to become a full identity provider ourselves?
You could include the tokens as part of a request object, see: http://openid.net/specs/openid-connect-core-1_0.html#RequestObject but that would depend on a pair-wise agreement with Acme since they'd need to handle the non-standaridzed request object contents.
The best way forward is to become a provider yourself so you can leverage all the features of the various flows without being dependent on a pair-wise agreement and accompanying implementation.
It sounds like you're confusing OpenID Connect and plain OAuth2 to some extent.
OpenID Connect is a specification for identifying end users to a client application, based on their authentication at the OpenID Provider. It's not clear from your question whether end users are even part of the picture, so even plain OAuth2 may not be relevant (unless you are just using the "client credentials" grant).
Neither spec says anything about mutual exchange of tokens. It would probably help if you describe the interactions you anticipate in more detail and which grants you expect to use. Who will authenticate to your identity provider and what would be a typical client application?