I have username and password for salesforce. I tried using REST API way, it requires clientid, client secret and redirecturl. Client is not willing to share them. Is there any alternate to get the data by just using Username and password?
You can use the username & password OAuth flow. Here is an example Java app that does that: https://github.com/jamesward/salesforce-rest-starter
Ask the client to create a public Rest Service as described here.
https://developer.salesforce.com/forums/?id=906F00000008s2KIAQ
This way it does not require any authentication and anyone can access the service.
Related
I have been trying to implement 2fa using OTP. Till now i am successful doing it via browser flow using keycloak interface to login. Keycloak provides an API to give the access token after passing username, password & client-secret,
i.e. http://localhost:8080/realms/SpringBootKeycloak/protocol/openid-connect/token
Is there any any external api available to trigger my custom flow of sending OTP and verifying it, if not how can i implement this?
Keycloak doesn't provide any API to verify the OTP.
Keycloak provides an API to give the access token after passing username,
password & client-secret
Most likely you're talking here about Resource owner password credentials grant (Direct Access Grant).
The latest OAuth 2.0 Security Best Current Practice spec actually recommends against using the Password grant entirely, and it is being removed in the OAuth 2.1 update. (source).
Unless you have more specific requirements rather than just login and OTP, I'd recommend you to use a regular authorization code flow instead as a default way of authorization. Using this flow you'd be redirected to Keycloak login page and configure OTP to be displayed there without using Keycloak APIs.
I'm trying to implement Spring OAuth2 in my Spring REST application. What I have already achieved:
Generate a token while logging in.
Store this token on the client side, use it for every request I do from UI.
What I want to achieve:
1. Encrypt the token stored on the client side & send this encrypted token instead of sending the actual token.
Are there any services available in the Spring OAuth2 project to achieve this?
Any ideas/suggestions?
Thanks
As I know oauth2 servers and clients usually run in SSH channels, if you use SSH there is no need to encrypt theme.
Secondly access_token is stored in a cookie on client side. if you want to encrypt it you must consider which your oauth2 server should be able to decrypt it too!
Thirdly your scenario is already have been implemented by JWT!
take a look at :
https://github.com/spring-guides/tut-spring-security-and-angular-js/tree/master/oauth2
I am using spring boot for backend and Android device for frontend of my system.
Right now I am facing the challenge to use Spring-OAuth2 to secure my resource server.
I have some questions, which I want to discuss with you:
My knowledge + this tutorial are saying that I should use the OAuth2.0 "password" grant type for my mobile app to obtain an access token. The official spring tutorial for security gives an example how to obtain the access token using password grant type:
$ curl client:secret#localhost:8080/oauth/token -d grant_type=password -d username=user -d password=pwd
And here comes my first question: Is there any possibility to obtain access token using the password grant type without sending the "client secret" ?
Since the client secret could be "reverse engineered" by decompiling the client app. The obtaining access token without secret should be somehow possible, because Facebook SDK for Android also does not need the client_secret in the mobile app.
I think here I have a little trouble understanding why the clientID + clientSecret needs to be included in the request above, because, since there are already username + password included, it should be possible to generate the access token, so does this brings a next level of security ? and does it implies the following (example): I am logged in as Filip in my Android client and I am sending the access token A with each request to the server. Then I log in as Filip into web client and I try to access the resource server from web client using the access token A, which is not possible because access token A was issued only for Android client ?
The next question is how can I refresh the obtained access token ?
I was trying to do so using the command below, but I got "Full authentication is required to access this resource." After I got the new refreshed token, can I use the refresh token to refresh my new access token again ?
curl -v --data "grant_type=refresh_token&client_id=acme&client_secret=acmesecret&refresh_token=REFRESH_TOKEN" http://localhost:9999/uaa/oauth/token
Thank you
The OAuth 2.0 spec allows for so-called public clients i.e. clients that don't authenticate themselves. So it is possible to use the Resource Owner Password Credentials grant with a public client, i.e. one that does not need to send a client secret. It does mean that the Authorization Server cannot assume anything about the client since a client_id is not a secret and there's no way to prevent a malicious client using this grant type or clients from impersonating each other. So using it in this way comes at the cost of reduced security although one may argue that in your case there's no way to use confidential clients anyhow, so there's no difference.
In general the Resource Owner Password Credentials grant is an anti-pattern for OAuth and only meant for migration purposes because it defeats most of the goals of OAuth in itself.
Access tokens are issued on a per-client basis.
You refresh token request seems OK but the Authorization Server may require basic authentication instead of providing the client_id/client_secret as post parameters, considering that you did the same for the original access token request.
I am targetting to secure my REST APIs by custom OAuth Authorization server of my own (NOT google, facebook etc.) by using Resource Owner Password Credentials Grant. The user would pass the credentials over SSL and would get back the Access Token and Refresh token. I followed this tutorial - http://www.beingjavaguys.com/2014/10/spring-security-oauth2-integration.html
However, I have few questions -
1- Is it good approach at the first place.
2- User credentials in that tutorial are passed as query parameter.
It's not the advisable approach. How can I make it a POST request.
3- I want to store credential information in Database and implement
custom authentication by validating the username/password from DB.
(As opposed to the approach in above tutorial in which the
credentials are stored in the file)
Please provide your insight. Thanks!
1) IMHO , I think use Authorization grant instead of resource owner password grant. Which do the same , and more secure then the resource owner password grant.
2) I think you can follow this tutorial to make authentication from DB.
We want Socialite (web-application name) user data to upload on IBM-Connections per user active stream.
It requires proper OAuth mechanism. To achieve this, we are working on OAuth to get OAuth Token and OAuth Secrete per IBM Connections user wise.
We created the AppID, Appkey and AppSecrete with the help of commands mention in IBM documents. http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=IBM+Connections+4.0+documentation#action=openDocument&res_title=Registering_an_OAuth_client_with_a_provider_ic40&content=pdcontent
Now we need requestTokenURL, authorizationURL, accessTokenURL to get the access token and access secret per IBM Connection user wise.
Please advise me.
The authorization URL should be
https://:/oauth2/endpoint/connectionsProvider/authorize
The access token URL should be
https://:/oauth2/endpoint/connectionsProvider/token
oAuth2.0 does't have the requestToken anymore. There are only to token uri's
for our test connections environment the endpoint are
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/authorize
https://connections4.e-office.com/oauth2/endpoint/connectionsProvider/token
More details you can find here, it's about smartcloud but you can find some good information
http://www-10.lotus.com/ldd/appdevwiki.nsf/xpViewTags.xsp?categoryFilter=OAuth%202.0