How do I validate Access Tokens in IdentityServer4 - access-token

I had previously used IdentityServer3 for a project and created a nice login flow utilizing the accesstokenvalidation endpoint. This seems to not be available in IdentityServer4.
What am I supposed to use?
I found the AccessTokenValidation Nuget but it doesn't appear to add an endpoint or maybe I have it configured wrong.
Thanks for any help.

"Login flow" and "access token" aren't really things that should go together. Can you describe in more detail this flow please?
As for the accesstokenvalidation endpoint, to validate an access token in IDS4 world you'd use the introspection endpoint.

Related

Make Keycloak authentication work with own JWT tokens generation

There's a Keycloak (KC) server in my company, and I'm working on some app.
The Backend is Spring Boot 2.6.6, Front-end is AngularJs.
When user presses 'Log In' button, user gets redirected to KeyCloak login page and enters
credentials. This part is implemented already and working fine.
But then comes a tricky part: I need to return to front-end JWT token with some granted authorities, and those authorities will depend of what application gets from it's DB for every particular user. All other endpoints will have #PreAuthorize with needed authority.
So, I can't get JWT from KC, because KC doesn't know anything about app's vision to user's granted authorities.
Can you please help with some ideas how to achieve this? Because I'm trying to implement this and getting doubts about possibility to achieve this.
One of the errors I'm getting is:
Found WebSecurityConfigurerAdapter as well as SecurityFilterChain. Please select just one.
Thank you
Keycloak is OAuth2 and OpenID Connect(OIDC) protocol complaint. Which means you can use already defined patterns of authorization flows in OAuth2.
Auth2 has implementation of a step by step authorization logic called Authorization Code Flow -which is one of many but I believe is the most suitable one for your use case-. RFC docs of this flow explain it pretty well and you can find them here. You should also look at how Keycloak implementations are done.
Learning and implementing this flow on your project will provide an industry standard solution.

Cognito authorize endpoint in OAuth2 identity provider

been trying to figure this out forever, and I don't think it's supposed to be that complex...
I have an AzureAD setup with an OAuth2 Connection that I want to point to Cognito so that I can authenticate users in the User Pool, get a token back and call AppSync APIs, etc. Important note here, I cannot use Amplify in the current situation.
I have configured my App Client as follows:
The ngrok URLs are because I'm working on a cloud based app that needs tunneling. I have multiple URLs in there in the hope that I'd get one that works, to no avail.
To configure the OAuth2 Connection in Azure, I'm asked for 3 URLs,
authorize, token and refresh.
Here are the values I put into these fields
When I initiate the auth process with this connection, I get the redirect_mismatch error. I have no idea why. When I open the HostedUI, it shows up just fine, but it points to login instead of authorize. The redirect_uri, however, is localhost:3000/ as seen at the end of the address bar.
Clearly, I'm missing something, but I have no idea what. Should there be additional parameters in the config of my URLs on Azure's side? Anyone ever connected the two in this way? The company insists on this flow, and I just can't wrap my head around it.
Any and all help apreciated, thank you.
NOTE: There is a possibility to configure a custom OAuth2 connection on the side of Azure with more parameters, should this be the way? I do not, however, know what to put in these extra fields.
In the case of a Bot authentication, as it is the case in my situation, in Callback URLs, add the following:
https://token.botframework.com/.auth/web/redirect
This allows to open the authentication window when authenticating your bot.

Coinbase Oauth2 authorization without pop-up dialog

I am working with Spring 5 and Java 8 and creating a RESTful client that will login to CoinBase and make trades for me at given times. I know there is an unsupported Java SDK for Coinbase out there, and I am looking into that code as well for clues.
I am using the CoinBase Oauth2 client in my Spring app, and it has been very successful so far. I make the authorization call with a callback URL. This opens up a dialog box and if I am logged in, asks me to authorize My Coinbase Acct with MyApp and I get an email indicating that this is done. If I am not logged into Coinbase already, then I get asked for my Coinbase username/password and then it is authorized, again I get an email that this is ok.
The next step I see is that my redirect URL is called with a code that is passed back with it. That code, as you all know, then allows me to request an access token. Which I can do, and yes, I get my access token. I can now make calls to Coinbase API with that Access token. However, this access token is only good for 7200 (seconds?), so for two hours? I want to be able to get an access token and have this automatically login to coinbase for me. I don't want to have to re-authorize every time I want to make a trade ... or do I have to?
It seems to me that the "code" that comes back from authorizing is very short lived, and I can use it immediately to get that access token.
So, for me the big question is ... for Coinbase API, how can I keep myself authorized indefinitely? I want to be able to be authorized already, and then get an access token on a regular basis so I can make trades for myself????? Is this even possible with coinbase API?
Do I have to use Coinbase Pro for that ability, which I am fine with using? Is it even possible with Coinbase Pro?
I am a newbie with Coinbase as it's yet another third-party API that I have learn the nuances of. I am not a newbie when it comes to writing Java code to access third-party RESTful api's.
So, any help would be much appreciated. Thanks!
I guess you are missing 'refresh token' in your application.
What is the purpose of a "Refresh Token"?
It is hard to say how to implement it without code snippets but here some steps that should help:
Take a look at coinbase article about refresh tokens they provide
https://developers.coinbase.com/docs/wallet/coinbase-connect/access-and-refresh-tokens
Obtain and save refresh_token as well as token after authorization
Create function that will be using your refresh token to obtain new pair (token, refresh_token). You can find curl example in step (1)
a. Make ExceptionHandler that will call (3) if gets 401 (i guess it is 401 - if token expired)
b. Save 'expires_in' from step 2 and check it before each request. Call (3) if needed

IdentityServer4 how to store and renew tokens in authorization code flow

I am looking for the best approach to work with the IdentityServer4 autorization code flow.
My apps system is quite ordinary: I have an MVC client, a WebAPI and the IS. I also use AJAX to request the API from the client side. So I need the access token on the client side to put it into the authorization header.
Is it good idea to store access token in the cookies?
Do I need self-contained or reference token (it is about security, I suppose)?
What is the best approach to renew when it was expired?
I thought about the two strategies:
Update access token when the first 401 status code was recieved. Can be the problem cause I send more than 1 query to the API and I need to synchronized them and recall the first one (to get result);
Every time before API calling call the MVC client method with GetTokenAsync, check the expire time and get or update and get access token. Seems cheating, cause I need to call the MVC client every time when I want to call the API.
Could you help me to find the best way?
"Is it good idea to store access token in the cookies?"
No, not with the authorization code flow. If you are using an MVC web application you should find a way to store tokens in some kind of datastore away from the browser. All the MVC application should administer is a cookie to access future MVC endpoints (that will make subsequent calls to Identity Server with the appropriate access token in the datastore).
"Do I need self-contained or reference token (it is about security, I suppose)?"
That's all up to you and what you think is best for your use cases. If you'd like to see the information in the access token and skip the extra backend call for validation then use reference tokens. Strategy 2 requires you to use self-contained tokens so that you can check the expiry.
"Could you help me to find the best way?
I don't know if I can give the "best" way, but I'd probably go with strategy 2 and use self-contained tokens.
EDIT: If you wanted to use "axios , to get data from the API" then I would suggest using the implicit flow which has no concept of a refresh token. In this case, leaving it in the cookie should be OK.

Azure Mobile Services, Auth0, Web Api & Authorize Attribute

For a mobile application (Cordova & AngularJS), I use Azure Mobile Services with Web Api.
I am currently experimenting with different OAuth implementations to see which one fits my needs the most.
Tried OAuth from ngCordova, OAuth.io, WAMS server flow and Auth0 with WAMS delegation.
I also came across the option using the "JsonWebToken DelegationHandler for WebAPI". With this approach, I should use the "System.Web.Http.Authorize" attribute. When I debug the JsonWebTokenValidationHandler, everything looks good (IsAuthenticated is true etc.), but at the end, a 401 is being returned.
I guess, WAMS overwrites the user principal. A look at the WAMS log reveals that "The 'Bearer' HTTP authentication scheme is not supported." As soon as there is such an authentication token present it seems to get rejected by Azure Mobile Services.
My first thought was, that I can probably remove a specific message handler but that doesn't seem to be the case. Does anyone have an idea to get this to work with WAMS?
There is another post with a question very similar to this one:
Azure mobile service using aad "The 'Bearer' HTTP authentication scheme is not supported" error
You can pass the application key in the header like so:
HttpClient.DefaultRequestHeaders.Add("X-ZUMO-APPLICATION", "<YOUR APP KEY>";
In that link, Matthew mentions details about how to user authentication and posts links on how to set it up properly which you may find valuable.

Resources