I'm trying to make Authorization Server with Spring-Authorization-Server.
To generate Authorization Code, I need to authenticate the user.
But I don't know how to authenticate User(without FormLogin).
How can I send credentials to server?
my opinion
generate opaque / jwk token in login api
redirect to /oauth2/authorize endpoint with token
if valid token, generate authentication token
Is there any other good way?
Or how other services send credentials?
Related
Using the old authorization server, the user request an opaque token using the Client credentials grant and then use it inside an Authorization Header when calling APIs. On our resource server, we would contact the authorization server to authenticate this token and retrieve client information.
On the new server, we have no problem generating this opaque token but I don't understand how we can authenticate this token ?
When calling the introspection endpoint, we have always an Unauthorized result due to using AnonymousAuthenticationToken: obviously since the user is already logged in, we don't ask him to give his client_id and client_secret for each call.
Is it possible to allow this behavior ?
Calling the introspection endpoint and having a success with the decrypted token metadata and not a 401.
I have a Spring Boot Rest Api with JWT integration. Currently from Postman, I make a POST request to authenticate endpoint, including username and password, and obtain an access token.
But can Azure AD be used along with JWT, instead of hardcoded user details ?
When you obtain token with username and password, that bases on Resource Owner Password Credentials flow. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows.
I'm not sure what you mean about Azure AD with JWT.
If you would like to obtain access token with a signed-in user(not hardcoded user details), auth code flow is better for you. You could also request an access token in Postman.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/mail.read
&code=<authorization_code from "/authorize" endpoint>
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
If you would like to obtain access token without users, you could use client credentials flow. In the client credentials flow, permissions are granted directly to the application itself by an administrator, so you must use application permissions.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxx
&grant_type=client_credentials
We have an Angular SPA and Web API which is hosted in IIS - standalone server.
Our Web API uses user ID and password OAuth token authentication.
One of our client wants to use their Azure AD instead of our application's user id and password.
How to pass their AD token in our /token API call? Is there any easy way to implement this?
We can do this by two ways.
Approach 1# using ADAL.js in SPA
For SSO Clients
Get AD Token using ADAL, then pass it to /token with custom grant_type and decrypt AD token and generate your own token
Apporach 2# using SAML approach
For SSO Clients
Get SAML response, and pass it to /token with custom grant_type and decrypt SAML token with certificate you received from AD SSO then generate your own token
I am developing web API 2 services with authentication as bearer Token using oauth 2. I am not able to understand how authorization server create Token and revalidate that Token for subsequent request with that token. I also want to know that if I request token for same user name and password from different machine how server manage the token generation .
Regards
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).