Can OAuth be used for authentication (grand type - password flow) ??
I'm currently building a web application (microservices-based), and I want to implement OAuth for the authentication end-user, I choose to implement OAuth password flow, store the access token (JWT) in cookies, and validate that JWT token in the middleware.
After I do some research I found that OAuth is just for authorization, not authentication, is it correct? and how do I apply authentication with OAuth?
is the implementation of the OAuth password flow is not correct for my case?
You first authenticate (with user-password input or with 3rd party apps like Google Login). Then, later on you can use OAuth wherever needed.
Related
Can we use SOBO feature with OAuth 2.0 Authentication Code Grant using REST API?
We cant use JWT authentication due to system limitation, so need to explore if we can use SOBO without using legacy and JWT authentication..
Please advise the flow using REST API!!
Regards,
VG
SOBO (Send on Behalf Of) is a legacy feature that cannot be used with OAuth 2.0.
JWT (JSON Web Tokens) grant gives you the ability to impersonate, which is essentially the same thing.
IF you cannot use JWT and must use OAuth 2.0 (as DocuSign requires) then you cannot impersonate other users.
May be good to understand your requirements and limitations in more details to try to offer alternative solutions.
If you can't use jwt (why not?) Then you could have the person you want your app to act on behalf of authenticate with DocuSign via your app using the oauth authorization code grant flow. Include the extended scope to enable ongoing refresh token requests.
This will enable your app to act on behalf of the person, ongoing. (As long as you make an API refresh request once a month or more often.)
I have an iOS application that allows users to login with Facebook (via the Facebook Swift SDK). This returns the an access token for the user, which is specific to that app.
The user's facebook access token is passed to my NodeJS API where its authenticity needs to be checked. How can I do this? Basically, I need to check that Facebook has given the user this access token specifically for use with my app.
Once this is done, I will just use my API's standard JWT access and refresh tokens to authenticate future requests.
You can use the Debug Token endpoint within the facebook api, which provides if the token is still valid and which application the token is valid for.
I read articles on choosing the right authentication mechanism and I understand that JWT just defines a token while OAuth is a full framework that can use JWT. There are also other frameworks (Firebase?) and token-standards.
Now for my specific use-case I have a single-page-, microservice app with Angular2 that will run the whole day in the browser without any refreshing, in a rather old B2B environment (2GB ram, IE11). So social logins are not needed and a lightweight solution is preferable. Can you suggest anything?
This questionary could help
Are you using a forms based web or a SPA?
Forms: Use server sessions
SPA: Use authentication tokens (JWT or opaque)
Using authentication tokens, do you want to avoid storing session data at server side?
Yes: Use JWT
It does not matter: Use opaque tokens
The client needs to verify token or extract token claims?
Yes: Use JWT signed with RSA
No: Use JWT with HMAC or opaque tokens
Do you have an API for third party?
Yes: Use OAuth2 or OpenIDConnect issuing authentication tokens after succesful user login
No: Nothing extra
Do you want to manage user passwords?
Yes: Make your own registration and login forms
No: Integrate social logins (they use oauth/OIDC)
I would like to give the users a possibility to login with some external oauth2 provider (facebook) in my app. The client's part is running on mobile device in a native app.
I am not sure which of the approaches below should I prefer ?
Should the client send the user's access token by facebook with each request ? At each request backend asks facebook to validate the access token. Based on the validation's result, backend performs authorization and return corresponding result to the client.
Should the backend ask facebook to validate the access token only at user logon, then issue its own access token, return the access token back to the client and client will use this access token at making requests to the server to avoid contacting facebook at each request ?
I have read some questions about how to implement the auth with facebook and most of the devs are using B, but I haven't seen any explanation why is it good/bad to use A ?
What I see as benefits of the solutions:
backend doesn't need to care about issuing, refreshing, validating access tokens since this is done only by facebook's authorization servers.
this solution seems to be more effective, since it does not require to connect to facebook at each request.
Security tokens issued by Facebook are signed with a digital signature. The API server only needs access to the public key to validate the signature. There's no need at all to contact Facebook after the user authenticates.
A reason to issue your own tokens after the user signed in with Facebook could be to add claims to the token. But obviously having your own authorization server comes at a cost. It's up to you to weigh the pros and cons.
If you do decide to have your own authorization server, make sure not to write your own! There are open source options like Thinktecture IdentityServer.
I will vote for option B and here is my explanation,
Your API must authorise the request every time with some auth token , which cannot be external provider token, in such case anyone with an access token (eg: other developers) of other provider can access your api, basically there is no auth here.
When your sever issue access token, it's easy to validate and when needed could be revoked easily (eg: on password reset)
While authenticating , your server has fully control over issuing access token , so the validation is made only once and doesn't have to do every time while calling the API.
In my web application, which happens to be a SPA (Single Page Application), I have OpenID and OAuth2.0 clients for user authentication using third party service. Namely, Google (OpenID), Yahoo (OpenID), Windows Live (OAuth2) and Facebook (OAuth2).
Now, I have setup a token endpoint which exchange user credentials for a bearer token. The goal here is to replace Cookies by an Authorization header set in all requests of the SPA.
For this, I'm using the OAuth2.0 client password authentication strategy with a 'password' grant_type to authenticate the user based on its credentials (oauth2orize + passport-oauth2-client-password).
I am wondering :
How can I keep using the token bearer authentication method for users authentified using a 3rd party service ?
Is there anything in the OAuth2.0 spec which handles this case ?
What is the common practice for this kind of implementation ?