We are using Sign In with Apple. The automated token renewal has failed in the past. I want to query the Graph API for the token expiration date so it can be tracked in our monitoring system.
EDIT: After contacting Azure support, the root cause for the token failing to auto renew is that we are using a custom user flow (IEF) policy
While generating the access token, you can see an attribute called expires_in along with access token.
You can make use of below CURL script to get the Apple JWT token:
curl -v POST "https://appleid.apple.com/auth/token" \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=CLIENT_ID' \-d 'client_secret=CLIENT_SECRET' \
-d 'code=CODE' \-d 'grant_type=authorization_code' \
-d 'redirect_uri=REDIRECT_URI'
You will get response like below:
{ "access_token": "adg61...67Or9",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rca7...lABoQ"
"id_token": "eyJra...96sZg"}
In the above response you can find expiration time in expires_in attribute.
Otherwise, you can decode the token by using JSON Web Tokens - jwt.io site like below:
Copy the access token and paste it in encoded field.
Under payload section, you can find expiration date in exp attribute.
For more information, please refer below link:
Generate and Validate Tokens | Apple Developer Documentation
Related
I'm trying to obtain the access_token for my user in Azure IAM via OAuth2. I've built a curl command this way:
curl \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "scope=openid" \
-d "response_type=id_token+access_token" \
-d "grant_type=password" \
-d "client_id=${MY_APP_ID}" \
-d "username=${MY_USER}" \
-d "password=${MY_PASS}' \
'https://login.microsoftonline.com/${MY_TENANT_ID}/oauth2/v2.0/token'
However I'm getting:
{"error":"invalid_grant","error_description":"AADSTS50158: External security challenge not satisfied. User will be redirected to another page or authentication provider to satisfy additional authentication challenges...
We use MFA, however the curl call is not triggering it. What's the proper way to get the access_token in the MFA-backed OAuth2 flow?
I tried to reproduce the same in my environment and got the results like below:
I created a user and enabled MFA:
I tried to generate the tokens in Postman using ROPC flow and got the similar error like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:clientID
scope:openid
grant_type:password
username:username
password:password
Note that : ROPC Grant Type doesn't support MFA enabled users and will be blocked instead. Refer this MsDoc.
To get the access_token in the MFA-backend OAuth2 flow, you can make use of Authorization Code Flow like below:
Make use of below endpoint to generate auth-code:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectURI
&response_mode=query
&scope=openid
&state=12345
I signed-in with the MFA enabled user to generate the code like below:
I generated the tokens by making use of below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecert
scope:openid
grant_type:authorization_code
redirect_uri:RedirectURI
code:code
You can also make use of Implicit grant flow for MFA enabled users. Refer this MsDoc.
I was trying to Configure Microsoft Azure AD for External OAuth as per the Snowflake tutorial: https://docs.snowflake.com/en/user-guide/oauth-azure.html
The configuration steps went ahead without a hitch and I was able to use the final step: https://docs.snowflake.com/en/user-guide/oauth-azure.html#testing-procedure to obtain the access token from AAD.
However, when I tried to use the access token with Snowflake using a JDBC driver, I obtained the error: "net.snowflake.client.jdbc.SnowflakeSQLException: Invalid OAuth access token.
The Snowflake integration created is of the form:
create security integration ext_oauth_azure_ad
type = external_oauth
enabled = true
external_oauth_type = azure
external_oauth_issuer = '<issuer-url>'
external_oauth_jws_keys_url = '<keys-url>/discovery/v2.0/keys'
external_oauth_audience_list = ('https://<app-id-uri>')
external_oauth_token_user_mapping_claim = 'upn'
external_oauth_snowflake_user_mapping_attribute = 'login_name'
external_oauth_any_role_mode = 'ENABLE';
I tried playing around with this config by changing the external_oauth_token_user_mapping_claim to email since that was the attribute in the decoded JWT access token that matched the login_name but to no avail.
The scope provided in AD is the session:role-any which should be valid for any scope.
Not sure how to proceed post this.
Edit:
The command used to obtain access token is:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" --data-urlencode "client_id=<ad-client-id>" --data-urlencode "client_secret=<ad-client-secret>" --data-urlencode "username=<ad-user-email>" --data-urlencode "password=<my-password>" --data-urlencode "grant_type=password" --data-urlencode "scope=<scope-as-in-ad>" 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token'
Update:
Tried using the command:
select system$verify_external_oauth_token('<access_token>');
to validate if the token was valid in Snowflake and obtained the result:
Token Validation finished.{"Validation Result":"Failed","Failure Reason":"EXTERNAL_OAUTH_INVALID_SIGNATURE"}
This is strange because I have added the correct issuer based on the configuration step(entityId from the Federation metadata document
)
I'm trying to integrate with the new instagram api as my feed is no longer working, i have setup my app and give it the necessary things, when i make the request so in my case
https://api.instagram.com/oauth/authorize?client_id={instagram app id}&redirect_uri={redirect_uri}&scope=user_profile,user_media&response_type=code
it takes me to instagram asks me to sign in with the instagram i am then redirected back to the redirect uri and in the url it has the following ?code=XXXXX and then a big long string of what i assume is the access token but when i try using it it doesn't work i tried pasting it in the facebook access token debugger and it says "Invalid OAuth access token."
this is how i am trying to use it https://graph.instagram.com?fields=media_url&access_token=XXXXX
No, that "code" part is not the access token. But you need it to take access token. When you have "code=XXXXX#_" take the "XXXXX" part. Notice - you need to remove "#_" in the end.
Then you have to make POST request like they say in the docs. Dependent of what tech you use you can make it with internal functions. E.h. in Rails you can use Curl::Easy.http_post()
They use this bash line:
curl -X POST \ https://api.instagram.com/oauth/access_token \ -F client_id={app-id} \ -F client_secret={app-secret} \ -F grant_type=authorization_code \ -F redirect_uri={redirect-uri} \ -F code={code}
client_id = your instagram client id
client_secret = your secret.
(you can find both in facebook developer page under you Instagram Basic Display tab.
grant_type=authorization_code (leave it like it is here)
redirect_uri = this is the page where you will be navigated after you get the token
code = "XXXXX" part from the "code=XXXXX"
In server response you will receive the object with user_id and access_token fields. Notice that this token expires in 1 hour. But you can exchange it for 60 days long term token.
Use this pattern to get it:
https://graph.instagram.com/access_token?grant_type=ig_exchange_token&client_secret=#{YOUR_CLIENT_SECRET}&access_token=#{SHORT_TERM_TOKEN_YOU_JUST_RECEIVED]
It should return object with 2 fields: a long life token itself and the number of seconds until expiry.
Hope it helps.
I have a problem to generate the token, use the command you passed in tutorial
curl -X POST -H "Content-Type: application/json" \
-H "Authorization: Bearer access-token" \
-d '{"foo": "bar"}' \
"https://.cloudfunctions.net/get"
When enter in my link /get return " No authorization token found." IT necessary i inform token?
https://github.com/tnguyen14/functions-datastore/
Is your access token, access-token?
A proper jwt format is something like this.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o
Your http request using curl looks ok. But I doubt that access-token is a valid token. Normally there's some form of /login route you need to obtain the token, which later on should be provided using the Authorization: Bearer $TOKEN.
You can get help from https://jwt.io/ where you can specify your payload and pass the secret under VERIFY SIGNATURE to get a valid jwt token. Then you can use this in your curl requests.
I'm working on creating an Outlook Add-in using this architecture.
I'm trying to handle the scenario where Azure Active Directory Access Token expires. According to the official documentation, the token's life time is 1 hour.
So I was thinking about changing the token's life time as described in this question. But I cannot do so, as I don't have the right to edit Azure policies. Also, I believe there is a cleaner way to test this scenario.
How can I test/debug this scenario?
Whenever your access token expires you can use your refresh token to exchange for new access/refresh token pair. Refresh token has a maximum inactivity time of 90 days.
You can get refresh token in your result while requesting access token by specifying offline_access in the scope parameter while making the request.
curl --location --request POST 'https://login.microsoftonline.com/common/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={clientid}' \
--data-urlencode 'refresh_token={refreshtoken}' \
--data-urlencode 'redirect_uri={redirect_uri}' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_secret={client_secret}'