I'm looking into DocuSign's eSignature API. Trying out their 0Auth using a demo account (https://developers.docusign.com/platform/auth/authcode/authcode-get-token/).
In some 0Auth systems, the access token of a given user gets invalidated after requesting another accessToken for the same user. But it seems previous token continues to be valid as long as it hasn't expire.
Is this a behaviour just for the Demo/Sandbox account or it is possible to rely on behaviour for live accounts as well? (Where several access tokens can be used for the same DocuSign user?
Can each of these accessTokens be refreshed with their respective refreshTokens without limitations/problems?
in this regard, Demo and Production behave the same - you can generate multiple valid tokens for the same user.
That said, this is not a good practice - while the Account Server does not currently have throttles related to token generation, it may in the future. A token should be re-used throughout its lifespan - continuously generating unnecessary tokens is not an appropriate workflow.
Related
I am completely new to O-Auth but I have just implemented my first O-Auth flow in obtaining access tokens from an external API to gather information on users using NodeJS and Express. The external API generates an access token and a refresh token as the access token only lasts for 24 hours.
I am wondering what is the best practice to store API access and refresh tokens as I will have to use them even when the user is not accessing my application to gather information in the background. Would it be just a database and then querying the database on the server side of my application to access the API? Then refreshing the token and updating the entry from within the database?
Any advice is welcome!
The answer really depends on the type of API client you are using. OAuth has standard solutions for the below 3 scenarios. As a next step, maybe let us know which of these scenarios is closest to yours:
Web UI: gets tokens for an end user, stores then in memory, can deal with access token renewal via cookies
Mobile UI: gets tokens for an end user, can store them in OS specific secure storage
Back end process: gets tokens on behalf of itself, stores then in memory and re-authenticates when tokens expire
I would aim to leave token storage to the Authorization Server, which has built in processes to do this in a secure manner.
Risks with a second token store are that a rogue employee could perhaps grab tokens and operate as users - so it is worth thinking about this kind of threat.
In order to access resources in Azure AD web applications we retrieve an authorization code using the following workflow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code
Now my questions is, does this retrieved code also have a specific lifetime (like tokens have) or will it never expire? I guess it won't expire but I need to be sure about that.
Yes, the authorization code has a lifetime of 10 minutes I think.
You use it to get the tokens you need and then throw it away.
You'll get refresh tokens so you can use them to get more tokens later.
ADAL.NET for example handles the token refresh for you, assuming you properly implement a token cache.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-id-and-access-tokens (scroll all the way down) (it's for the v2.0 endpoint, but codes are similarly short-lived in v1)
Authorization codes (work or school accounts)
10 minutes
Authorization codes are purposely short-lived, and should be immediately redeemed for access tokens and refresh tokens when the tokens are received.
I am working on asp.net web api 2 and used JWT for authentication. The application is working fine as it generates token on login request from user, and then user can use that token for subsequent request. But I have some security concerns like
What if the token is stolen from user's browser, How can server detect a valid request among two requests sent from two different computers.
When user will sign out, how server can detect that this particular token is now invalid/loggedout. As I read about log out, it is merely deletion of token from client browser, so stolen token will still be there, requesting from other pc.
How can server revoke a token when expiration period reached?
Please comment if my question is not clear.
Please find the answers as below:
1) Access tokens like cash, if you have it then you can use it, if you have valid access token there is no way to identify if the request is coming Authorized party or not, thats why HTTPS must be used with OAuth 2.0 and bearer tokens.
2) Self contained tokens like JWT are not revocable, so there is no DB checks and this is the beauty of it, you need to leave those tokens until they expire. If you used reference tokens then you will be able to revoke them, but the draw back for this approach is hitting the DB with each API call to validate the token.
3) Already answered in part 2.
You can check my series of posts about this topic using the below links:
Token Based Authentication using ASP.NET Web API 2, Owin, and
Identity.
AngularJS Token Authentication using ASP.NET Web API 2.
JSON Web Token in ASP.NET Web API 2 using Owin.
When it comes to JWT revocation the general idea seems to be either that:
it simply can't be done
or it can be done, but it goes against the stateless nature of JWT.
I generally don't agree with either. First JWT is just a token format (Learn JSON Web Tokens), yes it can be used to shift some state from servers to clients, but that does not impose any restriction on what we can and should do to consider them valid from the point of view of our application.
Second, if you understand the implications and the associated cost of implementing revocation functionality and you think it's worthwhile to use self-contained tokens instead of alternatives that could simplify revocation but increase the complexity elsewhere then you should go for it.
Just one more word on the stateless thing, I think I could only agree to it in the remote chance that the application receiving and validating tokens does not maintain any state at all. In this situation, introducing revocation would mean introducing a persistent store where one did not exist before.
However, most applications already need to maintain some kind of persistent state so adding a few more bits to track blacklisted/invalid tokens is a non-issue. Additionally, you only need to track that information until the token expiration date.
Having covered the general theory, lets go through your individual questions:
If your security requirements mandate that you need to employ additional measures to try to detect malicious use of a token then you're free to do so. A simple example would be blacklisting a token if you detect usage of the same token coming from very different geographical locations.
With support for token revocation in place the application logout scenario would just need to include a step to blacklist the associated token.
I may be missing something here, but if the token expiration time was reached the regular process to validate a JWT would already include a check to make sure that the token was not yet expired.
I am posting this here, as Docusign has requested all docusign api questions be placed on StackOverflow:
REFERENCE
I have been working on a Docusign application that uses their OAuth flow. In order to test this, I have been using my free account (www.docusign.com) to get access tokens from the application I created on my developer account (demo.docusign.net).
The integrator key I am using is live.
In the process of my testing, I have obtained an access token 10 times using the free account. I did not keep track of those tokens as it states that they can be revoked in the web console. Docusign Reference
However, there is no such section in the www.docusign.com account. All it shows is 5 other accounts that I can connect to.
I now have lost all 10 of those tokens, and the response from the service tells me that I reached the maximum number of access tokens.
Now here's the interesting part, if I use my developer account credentials to authenticate to my application, I can see the access tokens that are active, with the option to revoke.
I know that there is a revoke token endpoint, but you need to know the token in order to use it.
How can I revoke these 10 tokens as I no longer know what they are (due to testing), and there is no interface to revoke them on www.docusign.com? Essentially, this account is now locked out of my application.
I cannot add screenshots to this post as I do not have high enough reputation
I am looking to using OAuth to secure some web services. OAuth 2 fits nicely for the use cases I have where the user might access his/her own data using API's or grant access to someone to call API's on his behalf.
However, the initial set of API users are not very technical and they would not want to go through the effort of making API calls just to generate tokens. I am thinking of implementing the following solution but am not sure if this is the right way.
If the user is a developer, then
Have a screen where he/she can register an application. This will generate an API key/secret pair.
To access his/her own data (For 2 legged Auth) have a UI screen where the user can generate a access token for one his registered applications. He can specify the scopes and duration in the form.
If he is a 3rd party developer, then he needs to pass his applications API key to the person on whose behalf he needs to access the API and get an access token in exchange.
If the user wants a another application/developer to access API's on his behalf then
Have a screen where he can enter the third party's API key, scopes and the duration of the authorization. He can pass the generated access token to the developer who'll access the API's
I am going to use same OAuth libraries to generate the token that I would have used if I had gone the web service route. Further, I can also develop services whenever the current situation doesn't scale or the need arises and the existing tokens would still work.
The problem is mainly one of security. By design, duration of access token should not be set by a client. If someone else gets to know the access token and client id during this duration, this user's account will be compromised. Normally this duration is set to be not very long and a second secret value refresh token is used to refresh the current access token. The token refreshing can be automated in code, but in your approach it will need to be done manually.