I am trying to create an oAuth policy to protect an API using an JWT access token. That token can be validated by calling an external URL.
I am using the following RAML for my Mule proxy.
#%RAML 1.0
title: Custom API
version: 1
baseUri: http://localhost:8081
securitySchemes:
oauth_2_0:
description: |
This API supports OAuth 2.0 for authenticating all API requests.
type: OAuth 2.0
describedBy:
headers:
authorization:
description: |
Used to send a valid OAuth 2 access token. Do not use with the "access_token" query
string parameter.
type: string
responses:
401:
description: |
Bad or expired token. This can happen if the user or the API revoked or expired an
access token. To fix, you should re-authenticate the user.
403:
description: |
Bad OAuth request (wrong consumer key, bad nonce, expired timestamp...). Unfortunately,
re-authenticating the user won't help here.
/hello:
get:
securedBy: [oauth_2_0]
However, mule is not able to send the Authorization header while validating against the external service.
The RAML that you posted is fine, but informative only. You have to implement the JWT oAuth token enforcement capability either as a custom policy or as part of your Mule flow. Currently, there is no out-of-the-box policy for JWT token validation.
Usually, for validating a token, an external endpoint is called providing the token as part of the internal [policy] request. That means that the policy itself will parse the incoming user request, and extract the token either from the query params or from the Authorization header (removing the bearer part). AFAIK, Authorization header is never sent to the introspection token URL.
Related
Using the old authorization server, the user request an opaque token using the Client credentials grant and then use it inside an Authorization Header when calling APIs. On our resource server, we would contact the authorization server to authenticate this token and retrieve client information.
On the new server, we have no problem generating this opaque token but I don't understand how we can authenticate this token ?
When calling the introspection endpoint, we have always an Unauthorized result due to using AnonymousAuthenticationToken: obviously since the user is already logged in, we don't ask him to give his client_id and client_secret for each call.
Is it possible to allow this behavior ?
Calling the introspection endpoint and having a success with the decrypted token metadata and not a 401.
We are trying to use auth0 for spring-boot application authentication.
Created Regular Web Application and Machine to Machine Applications in auth0.com and added users under User Management.
Intention is to have a login API to authenticate users and get the access-token after the successful authentication. Use access token (as bearer token) to access other APIs of the spring-boot application.
We provided proper login and callback urls under the Machine To Machine application configuration in auth0.com.
While generating bearer token, apart from client_id, client_secret we have provided grant_type (as client_credentials), audience as https://<>/api/v2 and scope with (openid profile my_scope email roles).
We are getting 401 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type and audience.
Wherein, we are getting 403 error while accessing the other APIs using bearer token generated using client_id, client_secret, grant_type, audience and scope.
403 error stack is as below
Client is not authorized to access <<application-domain-in-auth0>>/api/v2/. You need to create a client-grant associated to this API.
We referred to the udemy session (https://www.udemy.com/course/build-secure-apis-with-auth0-and-postman/learn/lecture/12716335#overview)
Any inputs on the overall approach and where we are going wrong.
Thanks
Venkata Madhu
not sure if it can help, but found this more relevant to the problem statement.
https://community.auth0.com/t/how-to-generate-a-management-api-token-automatically/6376
There are a few things you need to do/check:
Create a non-interactive client in Auth0, which will be used to represent your service.
Authorize the non-interactive client to call the Auth0 Management API:
Dashboard > APIs > Auth0 Management API > Non Interactive Clients > Authorize your client
Ensure that the parameters used in the call to /oauth/token are for your non interactive client:
{
grant_type: 'client_credentials',
client_id: 'NON-INTERACTIVE-CLIENT-ID',
client_secret: 'NON-INTERACTIVE-CLIENT-SECRET',
audience: 'https://yourdomain.auth0.com/api/v2/" }
Make sure the access token you receive is passed in the Authorization header for every request made to the Management API. Authorization: Bearer <access_token>
I've setup oidc-provider for pkce (v7x). When I do the following:
request a code from /auth with response_type='code'
Used the code to get token form /token with grant_type=authorization_code
Receive token as shown:
{
access_token: "a8DM82TgXF-cjlzH8yOjuK6_OF9h_JaYJjSPrAdCRG0"
expires_in: 86400
id_token: "eyJhbGci....FQg"
scope: "openid"
token_type: "Bearer"
}
How can I get node-oidc-provider to return a JWT access_token with claims?
You shall use the Resource Indicators feature (oidc-provider docs) and request an access token for a particular resource server, in the resource indicators feature the configuration getResourceServerInfo is for validating the resource indicator provided (or defaulted to) in the authorization request. The return value from this getResourceServerInfo helper also defines the access token format (accessTokenFormat property), when the value is jwt the resulting Access Token is, well, a JWT following the JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.
I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic
I am developing web API 2 services with authentication as bearer Token using oauth 2. I am not able to understand how authorization server create Token and revalidate that Token for subsequent request with that token. I also want to know that if I request token for same user name and password from different machine how server manage the token generation .
Regards