I have a question about laravel passport... I did the code and it is working very good, my question is about the token.
My friend has an mobile app which it will connect to my Laravel API... I already gave him a grant token my question is, do I have to give him a new token everytime that he wants to connect to the API? or just with that one is enough? one token and it works everytime?
I think that it works like this:
He wants to connect.
He passes the token to access to the API.
The API creates a response.
Am I correct?
For mobile application you should use password grant for Api protection. For password grant, the general concept is the API will give the app client the following parameters for accessing the auth client to get an access token and refresh token.
grant_type: password
client_id
client_secret
When the user login in the mobile application, the mobile app will use the above parameters and also the user's username and password to request a user specific access token, this token usually will be active for 60 minutes, after 60 minutes, the app client need to use the refresh token to get a new access token.
After getting the user access token, for the rest of your APP's api, the mobile client need to use this access token to access them.
For Laravel Passport, you can check out the password grant document here:
https://laravel.com/docs/5.4/passport#creating-a-password-grant-client
To understand more about what password grant is check out this link:
https://www.oauth.com/oauth2-servers/access-tokens/password-grant/
Note: From what I understand from your description, the grant type you are using is Client Credential Grant, this type is best for using system to system API authentication.
Related
I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)
I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?
The username that they use to login with MSAL also exists in my backend, the flow would be something like this;
User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user
It appears golang integration with MSAL is limited, so not sure how possible this is.
Thanks.
What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.
Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.
For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.
everyone!
First, sorry if such issue is already was. And sorry for my English...
I am newer at laravel and I like it.
Now I learning how to create REST API app and for this I use laravel/passport.
And my target is to make social networks authorize via API. How it should work:
Client app, for example - mobile app, must send me (my app at laravel) request with Google token (for example).
From receive token I get the data about user, save it or find already existent.
After that I must send a token (from my app, not Google one), refresh token and expires_at.
Of course in normal api auth I use password_grant where you must do request with login and password, and it generate token, refresh token,expires_at. But how to do it if you have not password? How to create token, refresh token and expires_at for special user?
I know about personal tokens, but it only 'longlive' token? It make no sense! Why is not exist personal token that go with refresh token and expires_at or password token where you can create it directly?
Is there are some right solution? Will be solution in a future version of laravel/passport?
I will be very thankful if you can advise some really good solution.
I have an auth server built using spring boot oauth2.0 and follows david_syer model.
My auth server does following -
Let user login via third party oauth provider like google or let user create his account on our server using username and password and generate token.
So, when user uses external oauth like google to login then I simply store the token and pass the same(google) token to my UI app for accessing resource api servers. I have an authentication filter that verifies token and allow api access.
When user uses username and password to get token we store user and his permissions and generate a token for him. Now UI uses our auth servers generated token to access resource api servers.
Now my question is
Is this the correct way of using token from external api and using the same to access our resource api server?
And how do I add authorities to user who are signing up using 3rd party oauth provider since I don't add user entry and authorities for them?
So, spring security which loads user and user authorities (loadUserByUsername() from UserDetailsService) will not have any thing if user came from eternal provider.
I have a suggestion for step 2:
After the user uses the google authentication, and gets redirected back to your application page, do the claims transformation on your server and generate your own token issued by the identity server that you have.
The reason is you will be able to provide specific claims and the claims names does not necessarily required to match up.
That way you keep verifying your own token all the time on the client app. So lets say the user uses Facebook instead of Google and even in that scenario as you will assign your own token, you need not to verify the token coming from different third party Identity servers.
That way, your identity server trusts Facebook, Google provided token and your application will trust only your identity server so your app doesn't need to know about what IDP is issuing the token.
And with the approach I suggested above, you will be able to even modify the claims for the user on your own and don't have to depend upon the third party identity server to provide claims.
Very new to okta flow, please bear with my ignorance.
I am doing a poc to access sharepoint from my external site and sharepoint is authenticated through OKTA. I want to start getting list view data from share point and expose it on my site.
1) What is the difference of authenticating using username / password flow (vs) using token to authenticate into OKTA?
Step 1: Auth in through username / password get the session token
Step 2 : After this I tried to create a session as per docs:
http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token
You're probably missing a valid Okta API token (cf. Getting a Token ) when calling the /api/v1/sessions endpoint. In any event, you should use the /api/v1/authn endpoint for authentication purposes and that one usually doesn't need an api token (unless you want to authenticate it from a trusted application).
The /api/v1/sessions API with the username/password payload is deprecated so you should shy away from using it in favor of the /api/v1/authn API.
I hope this helps!
I am using spring boot for backend and Android device for frontend of my system.
Right now I am facing the challenge to use Spring-OAuth2 to secure my resource server.
I have some questions, which I want to discuss with you:
My knowledge + this tutorial are saying that I should use the OAuth2.0 "password" grant type for my mobile app to obtain an access token. The official spring tutorial for security gives an example how to obtain the access token using password grant type:
$ curl client:secret#localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
And here comes my first question: Is there any possibility to obtain access token using the password grant type without sending the "client secret" ?
Since the client secret could be "reverse engineered" by decompiling the client app. The obtaining access token without secret should be somehow possible, because Facebook SDK for Android also does not need the client_secret in the mobile app.
I think here I have a little trouble understanding why the clientID + clientSecret needs to be included in the request above, because, since there are already username + password included, it should be possible to generate the access token, so does this brings a next level of security ? and does it implies the following (example): I am logged in as Filip in my Android client and I am sending the access token A with each request to the server. Then I log in as Filip into web client and I try to access the resource server from web client using the access token A, which is not possible because access token A was issued only for Android client ?
The next question is how can I refresh the obtained access token ?
I was trying to do so using the command below, but I got "Full authentication is required to access this resource." After I got the new refreshed token, can I use the refresh token to refresh my new access token again ?
curl -v --data "grant_type=refresh_token&client_id=acme&client_secret=acmesecret&refresh_token=REFRESH_TOKEN" http://localhost:9999/uaa/oauth/token
Thank you
The OAuth 2.0 spec allows for so-called public clients i.e. clients that don't authenticate themselves. So it is possible to use the Resource Owner Password Credentials grant with a public client, i.e. one that does not need to send a client secret. It does mean that the Authorization Server cannot assume anything about the client since a client_id is not a secret and there's no way to prevent a malicious client using this grant type or clients from impersonating each other. So using it in this way comes at the cost of reduced security although one may argue that in your case there's no way to use confidential clients anyhow, so there's no difference.
In general the Resource Owner Password Credentials grant is an anti-pattern for OAuth and only meant for migration purposes because it defeats most of the goals of OAuth in itself.
Access tokens are issued on a per-client basis.
You refresh token request seems OK but the Authorization Server may require basic authentication instead of providing the client_id/client_secret as post parameters, considering that you did the same for the original access token request.