I want add self grant type in spring-authorization-server now days, but I found most solution is unser spring security, so sad about it, and other direction is generate access token directly in my self auth flow.
If you know how to customize grant type or genrate acess token directly, let me know, thanks a lot
Generate access token directly or the method of add grant type in spring-authorization-server
Related
I'm creating an API server which will be consumed by a mobile app that I will work on later. I have yet to see any reference of API best practices related to user flow and returned data even after searching for several hours.
My question is whether the login response of an API should return the a personal access token with the refresh token along with the user info? Or should I just return the token and make another API call for getting the user info.
I could just do what I have in mind but I'm trying to learn the best practices so that I don't have to adjust a lot of things later.
I need suggestions as well as good references related to my question.
Thank you.
It depends on what you are using for your authentication. If you are using libraries like Laravel Passport or JWT, you can have the token endpoint which returns the access token, refresh token, validity period and the token type (Bearer). You can then have an authenticated endpoint which will be used to get a user's profile based of the token passed in the request header.
However, if you go through the documentation for those libraries, in most there is an allowance to manually generate a token. You can use this in a custom endpoint that will return the token as well as the user profile Passport Manually Generate Token.
If you are using JWT, you can also embed a few user properties in the token itself. The client can the get the profile info from the JWT itself without having to make a round trip to the server. Passport ADD Profile to JWT
If you have a custom way in which you are handling authentication, you can pass the token as well as the user profile in the same response.
In the end, it's up to you to decide what suits you best.
Have you looked at OpenID Connect? It's another layer on top of OAuth 2.0 and provides user authentication (OAuth 2.0 does not cover authentication, it just assumes it happens) and ways to find information about the current user.
It has the concept of an ID_token, in addition to the OAuth access token, and also provides a /userinfo endpoint to retrieve information about the user.
You could put user information in your access token, but security best practice is to NOT allow your access token to be accessible from JavaScript (i.e. use HTTP_ONLY cookies to store your access token).
I am using the access token to play my private videos in my android app and for that, I am created an access token.
But It says,
The OAuth Playground will automatically revoke refresh tokens after 24h. You can avoid this by specifying your own application OAuth credentials using the Configuration panel
I tried to add my own client secrets and ID and after creating a new token, it still displays the same NOTE.
How can I create a permanent access token that will not expire?
I tried to change available parameters like Access Type Online, Offline, and still shows same NOTE.
Google apis generally do not let you get a permanent access token
Access tokens have limited lifetimes. If your application needs access to a Google API beyond the lifetime of a single access token, it can obtain a refresh token. A refresh token allows your application to obtain new access tokens.
Generate an offline refresh token to use and get a short lived access token
This is part of the Oauth2 standard
I would like to assign a scope that is equal to user's id_groups field with every token generated by Password Grant Client.
I know that I can generate custom tokens by using Personal Access Tokens, but what about Password Grant Client?
I used token created event (built in passport) to update the scope after creation. Dirty but working solution
I am targetting to secure my REST APIs by custom OAuth Authorization server of my own (NOT google, facebook etc.) by using Resource Owner Password Credentials Grant. The user would pass the credentials over SSL and would get back the Access Token and Refresh token. I followed this tutorial - http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
However, I have few questions -
1- Is it good approach at the first place.
2- User credentials in that tutorial are passed as query parameter.
It's not the advisable approach. How can I make it a POST request.
3- I want to store credential information in Database and implement
custom authentication by validating the username/password from DB.
(As opposed to the approach in above tutorial in which the
credentials are stored in the file)
Please provide your insight. Thanks!
1) IMHO , I think use Authorization grant instead of resource owner password grant. Which do the same , and more secure then the resource owner password grant.
2) I think you can follow this tutorial to make authentication from DB.
I am trying to create the smsession without giving the password. Can I do that by just passing the user id and any other user information of the user but not password and create the smsession?
No. Siteminder uses full credentials to create the smsession.
Raj, You can do that by creating a custom authentication scheme in Java. In code you can always return for authentication so SiteMinder will create a session.
I'm not sure what your overall use case is but the IWA Authentication Scheme will let you do perform attribute based authentication. Using the SM SDK, CoreBlox [Note: I work for CoreBlox] has written a Token Service which exposes a RESTful API interface for SiteMinder that allows for this type of integration. You can find out more about it here -- https://www.coreblox.com/products/coreblox-token-service/