I secure Web API with OAuth2. How can i revoke access token when user logout ?
Something like : api/issuedtoken?token="token string".
RFC 7009 (OAuth 2.0 Token Revocation) is a standard specification defining an API to revoke an access token or a refresh token. If your authorization server provides the revocation API, you can call it whenever you want to revoke an access token.
Related
I have written REST APIs. I have users in OKTA. Does OKTA only supports OAuth token based access for REST APIs or for my REST APIs I can also use some other authentication mechanisms as well to authenticate users to APIs??
As it's your API you can protect it with whatever your want :) Some forms can be a static API token which a user would need to send you in an authorization header, or something else.
But as you have your users in Okta, it would make sense to go with a standard mechanisms like OAuth protection, where your app is registered with Okta as an OAuth service for which users would need to get an access token. Then you would ask that token to be sent in a standard Authorization: Bearer xxxxx header for it to be validated by any solid JWT verification library.
We have an Angular SPA and Web API which is hosted in IIS - standalone server.
Our Web API uses user ID and password OAuth token authentication.
One of our client wants to use their Azure AD instead of our application's user id and password.
How to pass their AD token in our /token API call? Is there any easy way to implement this?
We can do this by two ways.
Approach 1# using ADAL.js in SPA
For SSO Clients
Get AD Token using ADAL, then pass it to /token with custom grant_type and decrypt AD token and generate your own token
Apporach 2# using SAML approach
For SSO Clients
Get SAML response, and pass it to /token with custom grant_type and decrypt SAML token with certificate you received from AD SSO then generate your own token
We would like to have REST APIs with OAuth2 using our own user table for Authentication. Also, we need to allow Social Login. Below is the flow for social login,
Our OAuth
Client makes auth and access token URL for our servers to receive
the access token
Client sends access_token for further calls in the header as bearer
token
Social Login
Client makes auth and access token URL to Social Login server(For
ex,https://accounts.google.com/) to receive an access token
The client sends access_token for further calls in the header.
We have implemented our OAuth with Spring and working perfectly. We have questions on social login,
How to identify our own Oauth access token and social login access
token. We may have many social logins and we should able to identify corresponding social login.
How to validate and integrate with Spring Boot?
If the access tokens are just random strings, you probably cannot tell the issuer of the provided token and you cannot validate it.
I would suggest you to extend your OAuth2 server to accept third party providers (Google, Facebook ...) for authentication. This way would support both local and social users, but in your application, you would always deal with your own tokens. It would make the application security much easier (which usually means safer) and you could also configure your own scopes for access tokens. There are also ready to use solutions for it - e.g. Keycloak.
I am developing some RESTful services for our mobile app using Spring Boot. I succesfully implemented Oauth2 authentication with our registration using username and password. Users can authenticate by using username and password. Also our client want to be authenticated with their custom token. They have a web service that you send token and response is true or false.
My first thought was, I can write a service like /custom-login and that service accepts custom token. In my service I can check this token with external service and if it is valid I call oauth2 authentication and return oauth2 authentication response.
How can I implement custom authentication oauth2 ?
OAuth2.0 spec allows for custom grant types,
So your auth server can create an custom grant type,
for eg: let's assume your wanted to authenticate with Google using Google access token, so you will create new grant_type called google_token
So now when your users wanted to authenticate using Google access token , they will pass like
grant_type=google_token&client_id=clientId&client_secret=secret&google_token=google-access-token
Then your auth server can verify the access token with Google and optionally verify client is issued to, etc and once verified , it can return your own access token
This applies for third party auth severs, so you can create number of custom grant types
Does anyone know how to get the app access token to a One-Drive API app?
I've tried combining {appId}|{appSecret} as the access_token param and as the Authorization header but it doesn't seem to work.
Thanks,
The OneDrive API docs have a good section on getting auth tokens with OAuth. In a nutshell, there are two services involved -- the OneDrive API service and the authentication service. The OneDrive API only accepts OAuth tokens that were issued by the authentication service. The authentication service is what you talk to first to get an auth token.
Depending on your app, you can either use the token flow or the code flow to get an auth token. In the 'token' flow, you navigate the user's browser to the authentication endpoint with your appId. The user may need to log in, consent, etc., and then the authentication endpoint redirects back to your site with an auth token you can use. The 'code' flow is similar to the 'token' flow, except it redirects back with an authentication code that your client app can use (along with its client secret) to obtain an auth token and a refresh token. Once you have a refresh token, you can use that to obtain future auth tokens without the user's involvement (as long as they granted the wl.offline_access scope).