I am trying to fetch tokens after completing an authentication flow (username and password based) using OpenAM central login. In my callback url, I receive the auth code and state, which in turn I should call the getTokens function available in the ForgeRock javascript sdk.
I am referring the code given here, the expected response is a JWT, but the resulting response is Error: invalid_client: Client authentication failed.
In my ForgeRock config options, I can see that I can enter my OAuth2 Client ID, but can't see any field which accepts client secret, due to which authentication is failing.
Is there a way to setup client secret? Or another workaround which doesn't require client secret and just the auth code and state would suffice to fetch JWT?
The given error Error: invalid_client: Client authentication failed also comes when the auth code issued by the provider (OpenAM in this case) has expired.
By default, the expiration of the code is Zero, I had to manually increase the timeout and it worked.
Related
I am creating a Node js / Express js based, login registration system using JWT (i am using JSONWEBTOKEN npm library).
Whenever a user login, that user gets a pair of access and refresh token. Now for accessing resources user need to send access token to backend.
Now when i verify the access token send by user to backend and if it will not get verified then it produces three types of error (as mentioned is JSONWEBTOKEN library in npm):
Token Expired Error: If i get this error, then in that case i will send response to frontend to send the request to refresh token route to get a new pair of access and refresh token.
JsonWebTokenError: If i get this error then it means that access token is malformed. Then in this case what should i do? Should i logout a user or should i will send a response to frontend to send request to refresh token route to get a new pair of access and refresh token. <-- This is the main question should i logout a user?
NotBeforeError: Since i am not using nbf claim and then in that case i dont need to worry about it.
Please provide your useful suggestion. while building backend security plays an important role.
This is useful to read: JWT refresh token flow.
Talking short, you should logout user if refresh token malformed or expired.
According to JWT idea, access token is short-life token. When it doesn't pass validation due to malformed or expired you have to send refresh token to server to get new pair. User continues to work using new access token without interruption.
If JWT is malformed then just block that call by responding with 403. that's fine. The application then takes the decision on it to refresh the token or not.
When a user logs out please revoke the issued token even if it is a JWT.
JWT also needs to be revoked as best practice. Yes, JWTs are self tokens and expirations already part of themselves. But if user logs out and still their JWTs are not expired means someone can use that token to call different APIs. So it is a security breach.
To avoid such things we should maintain JTI claim of that JWT in our backend with the same TTL with the value of JWT "exp". When the user logs out we have to clear those JTIs and notifcy the API callers about this just putting into some event service from their API Gateways should get to be notified and clear their side cached tokens if anything and cross check with identity system (Introspection).
This is we have to design the system to avoid further security related issues.
First thing is that user will be logged out from front end side.
front end will send request to your node server and token will be verified. Server will only send the response that token is expired or malformed and based on that front end will perform the action.
If token is expired then request for new token.
Is token is malformed then based on your requirements you can show results to your end user. You can either logout user or you can show unauthorized page too.
Suppose, you have role based website and some unauthorized user is trying to access root level routes then you can show unauthorized page.
I wrote Local Authentication Logic in Node, Generated a JWT and will send it to Angular App on Login.
In Angular, As soon as user Logs in with Correct Credentials, I then set the JWT in Local Storage!
In Angular I just check whether there is token in localStorage upon different route navigations. But how do I validate the token ??
If Iam changing the token from 'xxxxxxxxxxxx' to 'yyyyy' even then it's working since I am just checking whether there is token available in Local Storage.
How do I overcome this issue. ?
I knew about Headers. But those work only for API Calls, I simply want to restrict the user entering into protected Frontend Pages with invalid token.
I'm creating a game in which I would like to use firebase authentication using cloud functions for logging in and registering users. Since my dev platform (GameMaker Studio 2) doesn't have the firebase sdk, I've resulted in attempting to use the firebase auth restAPI. To authenticate a user, I have to at one point create a custom token using the users uID and then use that to login. The problem with this is that I can't really understand the flow of the authentication. How could the client have knowledge beforehand on it's userID from parameters such as email and password?
Any help in understanding the flow I need to authenticate a user will be greatly appreciated.
If you're developing on node.JS, you should be able to use npm to install the firebase package -- that would simplify things greatly.
Otherwise, the overall flow of authentication should look as follows.
Client gives email and password
Pass email & password to Firebase Authentication using your HTTP request. You should receive an auth token, and a uID if authentication was successful. (see here)
Now you have an id token that you can set as a cookie in your client's browser. You can verify this cookie by storing it in your backend for each subsequent GET request to your Node server.
I started working with instagram APIs using node.js and walked through the official instagram API docs here but it does not explain clearly.
Here I have 2 questions:
what is the difference between Client ID and Client Secret?
what is access_token ? and what is it used for ? and
when we should request for it ?
The client ID is is basically a unique id assigned to your application by an Oauth provider. It considered public information, and is used to build login URLs, or included in Javascript source code on a page.
An app requesting an access token has to know the client secret in order to gain the token. This prevents malicious apps from ever obtaining a valid access token. The client secret id doesn't state anything about authenticating a user, but it's instead for authorising an app to request access tokens.
The client secret must be kept confidential. If a deployed app cannot keep the secret confidential, such as single-page Javascript apps or native apps, then the secret is not used.
When you login with an Oauth provider, the server responds with an access token and expiration time in ms if the login is successful.
{
"access_token":"RsT5OjbzRn430zqMLgV3Ia",
"expires_in":3600
}
Every time client requests a resource from the server, the server validates the access code. The access-token is used to verify every request from the client. You will request for an access_token whenever you login through an Oauth provider.
You can refer this and this for more information.
I would like to give the users a possibility to login with some external oauth2 provider (facebook) in my app. The client's part is running on mobile device in a native app.
I am not sure which of the approaches below should I prefer ?
Should the client send the user's access token by facebook with each request ? At each request backend asks facebook to validate the access token. Based on the validation's result, backend performs authorization and return corresponding result to the client.
Should the backend ask facebook to validate the access token only at user logon, then issue its own access token, return the access token back to the client and client will use this access token at making requests to the server to avoid contacting facebook at each request ?
I have read some questions about how to implement the auth with facebook and most of the devs are using B, but I haven't seen any explanation why is it good/bad to use A ?
What I see as benefits of the solutions:
backend doesn't need to care about issuing, refreshing, validating access tokens since this is done only by facebook's authorization servers.
this solution seems to be more effective, since it does not require to connect to facebook at each request.
Security tokens issued by Facebook are signed with a digital signature. The API server only needs access to the public key to validate the signature. There's no need at all to contact Facebook after the user authenticates.
A reason to issue your own tokens after the user signed in with Facebook could be to add claims to the token. But obviously having your own authorization server comes at a cost. It's up to you to weigh the pros and cons.
If you do decide to have your own authorization server, make sure not to write your own! There are open source options like Thinktecture IdentityServer.
I will vote for option B and here is my explanation,
Your API must authorise the request every time with some auth token , which cannot be external provider token, in such case anyone with an access token (eg: other developers) of other provider can access your api, basically there is no auth here.
When your sever issue access token, it's easy to validate and when needed could be revoked easily (eg: on password reset)
While authenticating , your server has fully control over issuing access token , so the validation is made only once and doesn't have to do every time while calling the API.