I have created an application that calling Oracle RESTful Webservice. But I want to add OAuth 2.0 when calling this webservice in order to maintain the security of the data. I have follow the tutorial 'Accessing the RESTful Services from a Third Party Application'
But when I try to get the access token, I got the error below
https://server:port/i/oauthdemo/gallery.html#error=access_denied&state=STATE
In this document got mention, this error happen if user denies the request.
Can anyone help me how to approve the request?Is there any extra configuration that I need make?
Related
I have oAuth 2.0 implemented in java as per recommended in the following link https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth.
The Azure application which I created to get consent was using "Exchange API" earlier. Since I am migrating to a new domain, I thought of Instead of migrating my existing Azure applications I can have them newly created and replace the applicationId wherever required. When I started creating a new application I didn't find "Exchange API" as an option for API Permission, so went with "Graph API" as "Exchange API" was not available.
If I use the old code where the scope is https://outlook.office365.com/Calendars.Read against the new application created (where API Permission is using Graph API) and create an OAuth token with ExchangeService as [ewsClient.Url = https://outlook.office365.com/EWS/Exchange.asmx] it is working as expected.
But when I change my Scope to https://graph.microsoft.com/.default (As I changed the API to Graph in my azure application, I thought my scope also has to be changed accordingly) and having ExchangeService as [ewsClient.Url = https://outlook.office365.com/EWS/Exchange.asmx ] it is throwing 401 at ExchangeService.bindToFolder() method from Microsoft ews-java-api jar.
Any suggestions on
what has to be changed to avoid 401.
Can I still use https://outlook.office365.com/Calendars.Read as scope and https://outlook.office365.com/EWS/Exchange.asmx as my ExchangeService URL even though the azure application which I use to generate the OAuth token is having API permissions through Microsoft Graph?
https://outlook.office365.com/Calendars.Read
This isn't a Scope that will work with EWS it sounds like you maybe use the Outlook V2 endpoint as that would be a valid scope and audience for that API (which has now been depreciated).Depending on what flow you using the only valid scope for EWS are EWS.AccessAsUser.All for delegate flows and full_access_as_app for Application (Client_credentials) flow. In the first doc you linked it give a method of modifying the manifest as they removed the method of adding the permission in the portal. Graph permission won't work in EWS so https://graph.microsoft.com/.default won't be a valid scope it may return a token but that token wont have a valid audience for EWS. If you using the Client_Crendentials flow and you have given full_access_as_app then you need to use https://outlook.office365.com/.default or for delegate flow you use https://outlook.office365.com/EWS.AccessAsUser.All. It sounds like from you code you may have either both EWS or some Outlook V2 code but you need to show some of your code. What might be an easier solve for you it to look at your old manifest and look at the Guid's of the permission being used you can actually cut and paste these into the new manifest then consent to those and everything will work.
I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.
I was trying to setup OAuth workflow using the sample application as given here
However for some reason, after I enter my okta user Id and password, I never gets the control back on my call-back URL and application just hangs indefinitely.
However the normal Javascript Singn-in widget (check this link) with the minimal authentication does work and I get the control back to the redirect URL. But this is not for an OAuth2 workflow... which is completely useless for me. Because all it does is provide authentication service using Okta tenant app and it will redirect you to your App URL. This does not provide any authorization grant workflow or other OAuth2 complex workflow. May be useful for some application but not for enterprise app where you want to retrieve user profiles, and create a login session based on user profile data retrieved from OKTA.
So my question is why is the OAuth workflow not working using the PHP application that uses JS sign-in-widget? And why there are no instructions or warning on this page for this costly service (this is not free and many org is probably paying for this)?
I spent almost a day trying to setup my Authorization server as per the instruction given on this link, but nothing works. Any idea what must be going wrong ?
Does this entire example works only after contacting OKTA support to enable the Authorization server feature? Because, I also saw a documentation here that says that this is Early Access (EA) feature (and it is probably recently added in OKTA? Extremely frustrating experience).
BTW I sent email to their customer support to enable this Authorization server feature just in case if I am missing something. If this does not work then I will have to create my own OAuth2 server using Laravel 5.4 PHP framework, which is probably the quickest solution and 100% free.
I also tried to test the Authorization server setup as per the instructions provided here.
I was successful in getting the following end point working:
/oauth2/:authorizationServerId/.well-known/openid-configuration
But I am unable to get any scope and claims using api end-point:
/api/v1/authorizationServers/:authorizationServerId/scopes
So in short, I am so far unable to test my Authorization server to get my authorization grant workflow working.
Where can I look for some troubleshooting advice?
Is there another way to check whether I have configured my OKTA Authorization server properly?
I found out that the JS script provided for the PHP sample is not right for the workflow I am working on. So after changing that JS Script, things started to work.
Edit: Also please note that Setting up Authorization server is a new feature (It is Early Access feature) in OKTA. It is not enabled by default. So you need to contact OKTA support team to enable the Authorization service endpoint and functionality provided by it.
I need to create a service reference to the Magento 2 SOAP API in my Visual Studio project. So I've created an Integration in the Magento backend, gave it All access and activated it.
But when I try to access the WSDL for (ie. the customer API) at http://my.magento/soap/default?wsdl&services=customerCustomerRepositoryV1, I get the exception:
Consumer is not authorized to access %resources
Ok, I get it. I need my access token to access these specific 'admin' API's. Because public API's like 'quoteGuestCartRepositoryV1' do work. When I get the full API list at http://my.magento/soap/default?wsdl_list=1 it also only lists public/guest API's.
No problem so far, but when I try to add the 'customerCustomerRepositoryV1' as a service reference in Visual Studio, of course the authorized exception is thrown. But I have no way of actually adding the access token to the header there.
Is there a way to get access to all WSDL's anonymously? Magento 1.x used to allow this.
Yes, it is a Magento error. The WSDL is not available anonymous anymore since a recent Magento release. I think it's a stupid decision by the devs.
https://github.com/magento/magento2/issues/5330#issuecomment-255222166
And for the 'solution': https://community.magento.com/t5/Programming-Questions/Magento-2-C-APIs-SOAP-problem/m-p/49677#M1206
We have our own existing we portal in ASP.NET MVC, now our one of the customer do not want to use our portal as separate tool, instead they want to consume our feature via WEB API and consume it on their side.
Now I want to implement authentication and authorization in web API, I did google to find my question's answer, but didn't get it.
I am confused in below points.
Is it best choice to OWIN the default implementation which Microsoft provide? or some custom implementation?
What are the advantage and disadvantage to use OWIN in terms of security?
When to Use JWT (Json Web token) and OWIN?
Or any other implementation which help to create more secured web API?
Looking for all expert's valuable to input to help me to decide.
I implemented something similar. This is how we work: we have our application (MVC app) which permits us to login. Logging in uses a separate mvc project (our STS) which handles all user authentication. When our login and password is posted correctly, we generate a JWT which is returned to the MVC app. Back on the application side, we decode our token and build up the claims in it in an asp.net application cookie.
We also have a separate project containing our WebApi REST methods. Those can only be called by using the JWT generated by our STS. We elaborated this more with a custom attribute so we can set permissions on specific permission or role claims that are in the token.
For creating all of this, i was helped very much using these series of articles: http://bitoftech.net/2014/10/27/json-web-token-asp-net-web-api-2-jwt-owin-authorization-server/
In terms of architecture this is in my opinion 'how it should be' but i am not an expert in this.
So summary:
Web Application - application cookie to authenticate/authorize
Calling WebApi Rest methods - using the JWT to authenticate/authorize
Separate STS which takes in POSTS to authenticate and generate JWTs