I googled about this question several days but I couldn't find good resources for my question.
I wanna get the list of roles assigned to ORDS_PUBLIC_USER after a client authorized with the auth2 method (with client_id and secret_key) to call services. how do that? and my other question is how to get which client_id(authorized) and calling services now?
thanks in advance
When a new OAuth token is requested, a row is added to the table ORDS_METADATA.SEC_SESSIONS with that token's information.
In the definition of your REST API, you should be able to get the OAuth token using UTL_HTTP.GET_HEADER and look up that token's information in the table. The STATE column of ORDS_METADATA.SEC_SESSIONS contains JSON that has information about what that token has access to which includes the roles that this token has access to.
You can then use the USERID column of the ORDS_METADATA.SEC_SESSIONS table to match to the CLIENT_ID column of the ORDS_METADATA.OAUTH_CLIENTS or USER_ORDS_CLIENTS table/view to find the OAuth client that the token is associated with.
Related
I'm doing some discovery with NetSuite but am struggling to find a way to get the currently logged in user's NetSuite access or id token.
Use case is I want to call an external API (that I'm creating) from SuiteScript. I have decided to use the https module in a User Event Script when a record is created. I want to include the NetSuite access or id token in the Authorization header with this request.
I understand that I can use NetSuite as an OIDC provider which means I can access the public keys for my account via JWKS URL and validate the NetSuite token, verify user role etc. and permit the operation. Therefore securing my external API.
Is this possible?
You can get data on the current User by Using the N/runtime module.
Typescript import and examples of use
Before adding, yes it works when I give the entire url like http://localhost:8080/onedrive/oauth2/success/1 in the list of uri in azure uris. I am using code flow to authroize these tokens.
But as per the docs, it should work with me just mentioning the domain name there, like http://localhost:8080. Which it doesn't.
I want to do something like send the user id along with every request for me to keep track of which user I should link this accees token to, and have no idea to do so, if this issue is there. My current application logic is, when my application sends the user details and calls my spring API, I want to handle all these transfer of tokens in the server side, so I want to transfer this userId as my path variable. How do I go about doing this? Has anyone done this, can they explain to me any other different solution?
You can't add custom details to OAuth redirects and it is best practice to always register the full redirect uri.
In terms of tracking the user, after login the token has a user id and you can also get fields such as user name and email - so both the UI and API will know which user each token is for. I can provide further details on mechanics if needed.
The user id in a token is often a generated value, whereas the user id you want to use in API path segments is maybe a user id from your app's back end database - if so you will need to map between token details and database details.
If you provide redirect uri as http://localhost:8080/ then it means you are handling the api response in
/
endpoint and not
/onedrive/oauth2/success/1
To get to know the user to whom you are linking, few ideas which you can use are
1) Use security to obtain the logged in user credentials (Ex: Principal if you're using Spring security in java)
2) After successful authentication, use the user id you have and send one more request to backend and store it database with userid as a key
I am struggling a little with how I should implement a user authentication management in Ember JS. I would like to start with a very basic implementation.
# database table
users
-----
username, password, token
When the user attempts to sign in, they would provide credentials (username, password). The API which is requested should return a token and this token (in a header) should be used in every subsequent http request.
Couple of questions here:
Where do I store the "token". Is there a local store management?
I know I could use this.get('store') although this ties with the "api server data source" as well
Any direction would be appreciated!
Thanks!
When we build ASP.NET Web API endpoints, we can protect them using [Authorize] attribute and we can use bearer token to authenticate the request and call the endpoint.
My question is about authorization and how we can better grant access to resources once the authentication was successful.
For example if there is an endpoint api/contracts/details and want to restrict access to this for specific people, I am talking about SQL table fields (object properties) or even the whole table. How can this be achieved?
I have a feeling that roles is not the best option here. Any advice?
or
After user registers, he can generate a client_id and client_secret that he must present when requesting the bearer token. I can add the client_id as claim within the token.
In the database I have tables like this:
User (user details)
Client (client_id, client_secret ... etc)
RefreshToken (refresh_token, protected ticket)
I can create another table called Access where I specify all the allowed enpoints (Client Table -> Access Table on to many relation)
Access Table:
api/user
api/devices
api/products
Then I can create a message handler and inspect all the incoming requests. Decode the bearer token, extract the client_id and query the Access table for the allowed endpoints. If the incoming request matches the allowed endpoints then let it pass otherwise reject it.
This should work I guess?
You are best using the roles Attribute, but you will need to create a TokenValidationHandler. Check this excellent answer here
I'm using hybridauth library.
Hybridauth documentation says persistent sessions possible by storing the session data.
Lets say I stored users session data in my database. It contains oauth token, oauth refresh token etc..
Using oauth token, its possible to contact oauth server without asking user permissions.
Now everything fine so far. Now how exactly login the user automatically if the user logged into google?
I mean do I have to use any cookies?
I can't specifically help you on that library you are using, but have you looked at this? https://developers.google.com/accounts/docs/OAuth2Login
If you do an authorization for login as well, you'll get a token back and you can use that to get the userid of the user at Google
This field is only present if the https://www.googleapis.com/auth/userinfo.profile scope was present in the request for the access token. The value of this field is an immutable identifier for the logged-in user. Store this and you should have a durable identifier of the user.