Token revoke endpoint not working
Request:
[Authorization] Bearer {token}
[POST]https://demo.docusign.net/restapi/v2.1/oauth2/revoke
Response:
[Bad Request: 400]
{"error":"invalid_token","error_description":"The presented token is invalid."}
How manually using DocuSign API I can revoke the access token?
Not sure where you found this endpoint, but you're mixing different things.
While the endpoint does have /oauth2/ in the URL this is not OAuth 2.0
Very sorry about confusion, this endpoint is for the old authentication prior to OAuth 2.0 where tokens never expired and so you can revoke them using this endpoint.
Tokens for OAuth 2.0 expire after 8 hours so there's no need to revoke
Related
How to get the refresh token in JWT format?
Team is working on authentication using AAD and the OIDC library that is being used expects the tokens to be in JWT for decoding purpose.
Refresh token is not returned in JWT. Applications should not be inspecting a RT as it is only useful for the Authorisation server to issue new Access tokens. RT is an encrypted blob that only the authorisation server can decode for this process.
I have list of services registered in Azure AD. Is there a way to generate a single MSI token by passing list of MSI ApplicatonIds and generate a token which has all the ids in the audience field.
No, this is not possible. One token will only include one audience.
Note that if you're using an interactive authentication flow, you can use the refresh token associated with the token for one audience, to get a token for another audience. This means you only have to authenticate once.
From the v1.0 docs:
Access Tokens are short-lived and must be refreshed after they expire to continue accessing resources. You can refresh the access_token by submitting another POST request to the /token endpoint, but this time providing the refresh_token instead of the code. Refresh tokens are valid for all resources that your client has already been given consent to access - thus, a refresh token issued on a request for resource=https://graph.microsoft.com can be used to request a new access token for resource=https://contoso.com/api.
From the v2.0 docs:
Access_tokens are short lived, and you must refresh them after they expire to continue accessing resources. You can do so by submitting another POST request to the /token endpoint, this time providing the refresh_token instead of the code. Refresh tokens are valid for all permissions that your client has already received consent for - thus, a refresh token issued on a request for scope=mail.read can be used to request a new access token for scope=api://contoso.com/api/UseResource.
I'm trying to implement OAuth authentication for my google home compliant google-actions backend but I'm not sure on how to validate the token that google is giving me on the authorization header, I was expecting an JWT token but it isn't.
I'm doing my backend on express and node.js with express-jwt to parse the token and jwks-rsa to fetch the encryption key. I've setup my Auth0 tenant loosely based on this guide and it works fine, the login screen shows up and works just fine.
An example of a token google sends me is something along the lines of
authorization:"Bearer msuVRoQGJ_aPqH-zShLq053aAEVmlHqi"
I was expecting google to communicate with Auth0 to exchange a JWT token and then use it to authenticate to my API by sending it as a authorization header. But I don't know what is the bearer token google is sending or how do I validate it.
By default Auth0 will send you an opaque access token when you authorize to a non-Custom API (similar to the one you received). JWT Access tokens are only issued to custom APIs. So in order to get it in JWT format, you will need to create an API in Auth0 and set the API identifier you defined as the audience parameter.
You will issued JWT Access tokens for Custom APIs and you can validate and verify the integrity of it (there is an example on how to do this in Nodejs): https://auth0.com/docs/api-auth/tutorials/verify-access-token
I'm using Oauth2 to handle authentication in my system. While the authentication works, I'm worried about the security of my refresh token endpoint. The front-end calls this endpoint to get a new access token after it expires.
My question is how would you prevent someone from calling that endpoint and getting a new access token? Would you use the access token to authenticate yourself? At the moment I'm using these tokens to authenticate API calls on a separate service.
The endpoint currently supports csrf, but that's probably not enough.
Thank you!
The refresh token is used to get the new access token. That is where the authentication happens.
You can decrease the time that a refresh token is valid.
You can also choose if you want the refresh token to be renewed or not with each call to refresh the access token.
Unauthenticated clients cannot call the refresh token endpoint and get a new access token.
How can i refresh the skype bot token obtained via https://login.microsoftonline.com/common/oauth2/v2.0/token
This token has grant_type=client_credentials so you don't need OAuth2 refresh logic for it. Just request a new token when the old one expires.
Take a look to the OAuth 2.0 Authorization Flow. There you will find all the details around refreshing the access token.