Is there way to retrieve user token locally without password?
Related
I'm trying to make Authorization Server with Spring-Authorization-Server.
To generate Authorization Code, I need to authenticate the user.
But I don't know how to authenticate User(without FormLogin).
How can I send credentials to server?
my opinion
generate opaque / jwk token in login api
redirect to /oauth2/authorize endpoint with token
if valid token, generate authentication token
Is there any other good way?
Or how other services send credentials?
I have a Spring Boot Rest Api with JWT integration. Currently from Postman, I make a POST request to authenticate endpoint, including username and password, and obtain an access token.
But can Azure AD be used along with JWT, instead of hardcoded user details ?
When you obtain token with username and password, that bases on Resource Owner Password Credentials flow. This flow requires a very high degree of trust in the application, and carries risks which are not present in other flows.
I'm not sure what you mean about Azure AD with JWT.
If you would like to obtain access token with a signed-in user(not hardcoded user details), auth code flow is better for you. You could also request an access token in Postman.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/mail.read
&code=<authorization_code from "/authorize" endpoint>
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
If you would like to obtain access token without users, you could use client credentials flow. In the client credentials flow, permissions are granted directly to the application itself by an administrator, so you must use application permissions.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=xxx
&scope=https://graph.microsoft.com/.default
&client_secret=xxxx
&grant_type=client_credentials
Hi I need to call an https endpoint with username and password specified.
I was trying the plugin inetc. For inetc::get there are options for passing username and password using /USERNAME and /PASSWORD
/USERNAME
Proxy username (http only).
/PASSWORD
Proxy password (http only). For server (http/ftp) authentication it is possible to use URL encoded name and password, for example http://username:password#nsis.sourceforge.net.
As per the documentation, this works only for HTTP calls. Is there any other ways in NSIS for passing username and password
I am learning Oauth grant types.I have observed that refresh token is applicable only for
authorization Code and Resource Owner Password Credential Grant .
My question is why it is applicable only for authorization Code and Resource Owner Password Credential Grant and not for Implicit and client credentials Grant?
Refresh tokens should only be issued to clients that can authenticate themselves when using it.
The authorization code grant is intended to be used by confidential clients (client that can keep a secret). And the use of the refresh token should be authenticated using client credentials.
The resource owner password credentials flow issues a refresh token, so that the client does not have to keep the user's username and password around. It can use the refresh token to get a new access token.
The implicit grant was intended to be used by public clients (who cannot keep a secret). Since they cannot keep a secret, there's no way for these clients to have client credentials used with the refresh grant.
And finally, the client credential flow does not need a refresh token, as it can just use the client credentials to get a new access token when the old one expired.
if you are using v5 you can use https://docs.spring.io/spring/docs/5.0.0.M5_to_5.0.0.RC1/Spring%20Framework%205.0.0.RC1/org/springframework/web/cors/CorsConfiguration.html
CorsConfiguration#applyPermitDefaultValues
or you can use
#RestController
#CrossOrigin(origins = "*", methods= {RequestMethod.GET,RequestMethod.POST})
public class HelloRESTController {
Actually i am using basic authentication in postman and provide client id and secret to get basic authentication key.Then i have provided username,password and grant type to get access token.since my password is encrypted and stored in my DB.I have to pass encrypted password to get access token.Is there any way to encrypt my passed password to compare for authorization and get access token.