The access token that the app receives after successful authentication, can we use the same token for invoking GRAPH APIs for /me.
I tried to use the access token that I received in POSTMAN for /me but got an invalid token error. If I explicitly generate the token in POSTMAN, I am able to use it for /me.
What am I doing wrong here?!
I tested it.The access token you get after successful authentication of the app you use should be b2c, while b2c cannot be used to request a graph endpoint. See reference from Azure AD B2C auth code flow.
You can successfully request /me endpoint with the explicitly generated access token in POSTMAN because you are using an access token from Azure AD auth code flow.
Related
I have a web application that exposed an SCIM api endpoint. Then I used Azure AD SCIM validator to validate my SCIM endpoint. Azure AD needs a token to be able to connect to my app.
Problem is I generate Oauth 2 token using postman, I use this token in SCIM validator but the token does not work. It always responds as Invalid Credentials.
The token when used with Postman works though.
Anybody encountered same problem?
Any help is appreciated.
I'm currently using Keycloak 9.0.0. When authenticating using the code flow and exchanging this code, I'm receiving an id token without the at_hash claim.
How do I configure Keycloak to include an at_hash claim in the id token?
Background:
I'm using a "classic" server side rendered (SSR) program, a confidential client.
I'm sending requests to my local http api. But I also have an Angular client. The SSR is a Go programm using github.com/coreos/go-oidc.
Rendered pages that require authentication redirect the visitor to keycloak and back via the redirect_uri.
Since the visitor is logged in its id token is present in the session and I also pass the access token. However the id token has no at_hash claim and thus access token validation fails.
I also have a mobile web version of this site, in Angular and it sends a bearer access token once logged in. This app uses the code flow + pcke.
Both should be able to send authenticated requests, but since I'm using pretty much the only oidc client library for Go available, it requires an at_hash claim being present in the id token to be able to verify access tokens. The package currently has no support for the introspection endpoint.
Both id token and access token are returned from the IDP. But neither has an at_hash claim.
According to OIDC at_hash is mandatory only when access token is issued.
Make sure you are using response_type=id_token token and not response_type=id_token.
We have an Angular SPA and Web API which is hosted in IIS - standalone server.
Our Web API uses user ID and password OAuth token authentication.
One of our client wants to use their Azure AD instead of our application's user id and password.
How to pass their AD token in our /token API call? Is there any easy way to implement this?
We can do this by two ways.
Approach 1# using ADAL.js in SPA
For SSO Clients
Get AD Token using ADAL, then pass it to /token with custom grant_type and decrypt AD token and generate your own token
Apporach 2# using SAML approach
For SSO Clients
Get SAML response, and pass it to /token with custom grant_type and decrypt SAML token with certificate you received from AD SSO then generate your own token
I have three applications: REST API with Resource Server, Authorization Server and javascript client on VueJs that should use REST Api. Problem in using access token that I get after authorization. First I decided to use local storage or cookie for storing access token, but as I read It's not secure. It's recommended to use cookie with httpOnly, but I can't to access from js. Addition token in url params as well not right way. So what I should to do for using my Rest Api? I'm using Authorization Code grant flow.
When you have a Javascript client, the client itself should act as an OAuth2 client.
Meaning, the server is not what gets the token. The client, the javascript application in the browser, will fetch the token from the authorization server.
You achieve this by using a grant type called implicit.
In this grant type, there is no client_secret, but you must have a valid client_id. You will also not receive a refresh token. But you can receive access tokens and id_token (if you have an OIDC server).
Your question hints at you doing a server side grant (authorization_code,password,etc) and then sending that token to the javascript client. This would be incorrect.
For a great description of OAuth2, we have published this video: https://www.youtube.com/watch?v=u4BHKcZ2rxk
Your JavaScript application would do this:
Do I have a valid token? No
Start implicit grant
Receive token from authorization server
Store token in memory var token = ....
Use the token to invoke API endpoints on the server
Repeat step 5 until token is no longer valid
Go back to step 1
Next step for you is to watch the video and learn more about implicit grant type
As you already guessed, going down the road of getting a token on the server and then sending it to a non secure client exposes your applications in ways you probably do not want.
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).