can I use oauth token generated on server at client side ?
if yes .
will it be secure to going like that ?
I'm not completely sure I understand the question. But, in general, if you have the application token and the user token, you can use it anywhere. For instance, my application has a mobile registration or an web site registration.
Regardless of which one you do, the tokens are shared and can be used from either client.
OAuth 2.0 AccessToken can be used to access its resource in client side (or anywhere), until it expires. That is what Client-side Applications means to do.
Related
Ok, user authenticates and client gets the JWT from my IS4 instance. All that works. Now, for reasons I still cry at nights after being tormented by people who authoritatively claim to know OAuth but do not, the client is sending me the identity token JWT over the wire to an action, and I need to do some work based on the subject in it. I want to minimize the fallout of this decision and prevent a situation where someone plants me a fake token, so I want to validate the JWT to make sure it came from me, that indeed I am the one who issued it. To simplify, I need to act as both the client and the server in the token validation process, while running on the IS4.
Since this is such a violation of OAuth protocol, I am not sure this is supported out of the box, but here comes: is there a way to do this? I even tried to introspect the token, but that requires an authentication context, and I can't seem to get the client credential flow working since I only use openid/profile scopes and they are not supported by the client credential flow (since the user is defined only in JWT).
The receiver of a token should always validate the signature of the token to make sure it came from your IdentityServer. This is usually automatically done by most proper JWT-libraries. The library will download the public-key from your IdentityServer and use it to verify the signature of the token.
If you are using ASP.NET, then the JwtBearer library will do that for you.
In Oauth Open ID - Authorization Code grant type flow,
We will call the Oauth service provider with the client_id = '..', redirect_uri='...', response_type='code', scope='...', state='...'.
Then from Oauth Service Provider, we will get the authorization code instead of the token.
Q1. So what is the next step? Do we send the code to the back end where the token request will happen or will we call the Oauth service provider from the browser it self?
Q2. Why do we need this additional calls? what problem it is solving?
Q3 After the token is received, how we use it in a typical web application?
p.s: I have read lot of blogs, but unable to get the whole picture. Could you please help me?
Q1. In 2021 it is recommended to keep tokens out of the browser, so send the code to the back end, which will exchange it for tokens and issue secure SameSite HTTP Only cookies to the browser. The cookies can contain tokens if they are strongly encrypted.
Q2. The separation is to protect against browser attacks, where login redirects take place. An authorization code can only be used once but can potentially be intercepted - by a 'man in the browser' - eg some kind of plugin or malicious code. If this happens then the attacker cannot exchange it for tokens since a code_verifier and client_secret are also needed.
Q3. The token is sent from the browser to APIs, but the browser cannot store tokens securely. So it is recommended to unpack tokens from cookies in a server side component, such as a reverse proxy. This limits the scope for tokens to be intercepted in the browser, and also deals well with token renewal, page reloads and multi tab browsing.
APPROACHES
The above type of solution can be implemented in two different ways:
Use a website based technology that does OAuth work and also serves web content
Use an SPA and implement OAuth work in an API driven manner
Unfortunately OAuth / OpenID in the browser is difficult. At Curity we have provided some resources based on the benefit of our experience, and we hope that this provides a 'whole picture' view of overall behaviour for modern browser based apps:
Code
Docs
An application A (me) needs to communicate with Application B and the communication needs to be secured using ADFS (OAuth2 Client credentials grant flow). Both A and B get their tokens using the same ADFS authentication server.
Reading the Microsoft documentation, it's pretty clear to me how my application A need to get a token from the authentication server and send it to the application B.
However, what I don't understand is how I can validate a token received by Application B.
I also struggle finding examples showing endpoints and JSONs. Is there any resource I can double check?
Thanks!
To validate the JWT, look here.
Basically check issuer, aud, expiry, signature etc.
jwt.io has a bunch of libraries to do this.
A quick overview of the problem.
I have a client application that will use IDS to authorise access to a google service on behalf of the end user.
However, the client application isn't, itself responsible for talking to google. There is a Server app that does some magic with the user's data on his behalf.
Now, if I understand things correctly, the server app will use the Access Token supplied by the client app to talk to google. What happens when that access token expires? As I understand it the client application is expected to use the refresh token to as for a new access token.
Is there an issue with the server using this refresh token to update the access token? What flow am I supposed to use to make this magic happen?
A server using a refresh token to get a new access token is a valid use case.
If you're working with OAuth you can use the Client Credentials or Resource Owner flows to use refresh tokens, otherwise for OpenID Connect you'll need to use Authorization Code or Hybrid.
So I've got OpenID+OAuth hybrid working with DotNetOpenAuth when connecting to google. It gives me back a Authorized token so I need to exchange it for an access token.
I seem to be coming in about midway through a normal OAuth workflow in DotNetOpenAuth. I also seem to be missing somethings that DotNetOpenAuth wants like the the token secret and verifier. However according to the graph here I shouldn't need them.
Any ideas how to easily swap the auth token for an access token with DotNetOpenAuth?
Since you're talking about the OpenID+OAuth hybrid I expect you're writing a web app (as opposed to an installed app). DotNetOpenAuth should only be asking you for a verifier code if you're using the DesktopConsumer class, which is inappropriate for you. Use the WebConsumer class instead and the verifier will be taken care of for you. Swapping the request token for an access token will be automatic as you call the simple methods on WebConsumer, I hope.
As for the token secret, all token secrets are managed by your implementation of ITokenManager, which will save and retrieve token secrets on demand within your database.