Background:- I'm trying to implement the Implicit Grant REST API of DocuSign.
According to the documentation provided by DocuSign:-
After consent has been granted, the Authentication Service verifies that the client application is valid and has access to the requested scope. If so, it redirects the access token to the provided callback URI in a hash fragment.
The response contains the following hash fragment parameters:
http://localhost/#access_token=eyJ0eXAi.....9LyiFrUqvdw&expires_in=28800&token_type
Problem statement:-
After redirection we are trying to read the access token from the hash fragment of url section, but we are facing below issue:-
We are trying to open docusign window through iframe, we are getting the below error
Refused to display
https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=cab75309-6eb3-4969-a15d-fff35513e179&redirect_uri=https://www.sirionlabs.com/
in a frame because it set 'X-Frame-Options' to 'sameorigin'
So we tried to login to docusign app in another browser tab and then we are not able to read access token from the user, though we are getting the token printed on browser console.
How can we read the token received after login-in to Docusign service, so we can redirect that token to our app for further processing?
You cannot use an iframe for DocuSign authentication.
This is a security concern.
Users must see the URL at the top to know it's DocuSign and secure etc.
Please use a different window or redirect.
Related
I have checked Docusign Request the Authorization Code related documentation and set all the settings on Docusign Admin. But when I run the below url in the browser it wants login details and accept screen. My query is how can I skip this login and accept steps. Here is the request url
https://account-d.docusign.com/oauth/auth?response_type=code&scope=YOUR_REQUESTED_SCOPES&client_id=YOUR_INTEGRATION_KEY
&state=YOUR_CUSTOM_STATE&redirect_uri=YOUR_REDIRECT_URI
You cannot skip this login page if you are using the authorization grant flow as this is part of the oauth protocol security. To get a token, you need to authenticate (or your customer/user would need to). This token is typically valid for 8 hours and a cookie is stored on the device which means you won't be asked again to login for the next 8 hours, but you do need to do this initially.
I made a custom policy for Azure B2C, added jwt.ms as a reply URL and everything seems to be working fine. When I log in, I get redirected to jwt.ms showing the token and it's contents. However when I try to link my angular frontend to this custom policy, it does not seem to work. In need the response type id_token token, but when I use this response type I get the error "This application does not have sufficient permissions against this web resource to perform the operation."
When I use the response type id_token it seems to work fine and I get a reply with the JWT token.
I thought the problem might be in the Implicit grant settings under applications, so I have tried enabling Access tokens and ID tokens for all applications but this did not help.
Implicit grant settings
The request looks as follows:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2F&response_type=id_token%20token
&scope=openid%20https%3A%2F%2F{tenant}.onmicrosoft.com%2Fapi%2Fuser_impersonation
&nonce={nonce}
&state={state}
So if you replace the characters it looks like this:
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
?p=b2c_1a_signup_signin&client_id={client_id}
&redirect_uri=http://localhost:4200/&response_type=id_token token
&scope=openid https://{tenant}.onmicrosoft.com/api/user_impersonation
&nonce={nonce}
&state={state}
I expect the login flow to return both the JWT ID token and an access token.
Edit:
I created a whole new B2C tenant with a standard Signupsignin user flow and I still experience the same issues. So I concluded that it is not a custom policy issue, but an issue caused by a configuration in Azure or the front-end application.
After a lot of experiment I come to know about your problem. I guess you are not trying in a right format. Even I don't know which document you are refereed to. Okay the first problem is...
You are getting this error "This application does not have sufficient permissions against this web resource to perform the operation"
Reason
You have not set API access in your target application on azure portal. To achieve that you have add API access on your application.
Let say you have two Published scopes on your B2C tenant application like below:
Create API Access
To avoid above error Add API access. To do that , go to your application select API access after that you will see a Add button on top. click and right side API access window will be open just click Ok. See the below screen shot:
After successful API Access It should looks like below
Note: Hope It will solve your error while you are trying to send request.
B2C id_token and Access Token
Follow the below steps for Id_token
ID Token Access Process
https://YourB2CTenant.b2clogin.com/tfp/YourB2CTenant.onmicrosoft.com/YourPolicy/oauth2/v2.0/authorize?
client_id= YourApplicationId
&redirect_uri= Your reply from Application
&scope=openid
&response_type=id_token
Take a look below at Id_token:
Note: Just fill out the above format and paste at your browser with no space between. If is it correct then a sign in page will be
prompted. After sign in you will be given id_token on your browser.
B2C Access Token
Follow the below format In POSTMAN:
Grant Type:authorization_code
Callback URL: Your Reply URL
AuthURL:https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/YourFlow/PolicyName/oauth2/v2.0/authorize?
Access Token URL:
https://YourTenant.b2clogin.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token?p=YourFlow/PolicyName
Client ID: Your Application Id
Client Secret = Application Key
Scope= any of your Published scopes
Post Man request Process
Go to postman and click on Authorization Tab and Select type as OAuth 2.0 See the below screen shot:
For getting access token click on Get New Access Token You will be prompt following window fill out it with above mentioned format.
After hitting Request Token button you will be prompted a sign in window after successful login you will get access_token in response. Like below:
Note: In B2C there is no supported way to get `Id-Token and access_token together in a single request. You have to achieve it in
separate request. For more details you could refer here
If you still have any problem please feel free to share here in comment. Thank you and happy coding!
I'm new to using Azure Active Directory authentication with a Web API. Right now the login page on my Single Page Application simple directs the user to the Microsoft login page where they enter their credentials and then are redirected back to my SPA. Upon the redirect the access token is now part of the URL. Is it possible to get that token via JSON rather than part of the URL? Is that a security risk making the token visible to user like that? If there is no other way to get the token what's the best way of processing that? Should I read the URL and pull the token from there and then redirect the user again to the actual website?
You have to be mindful in implicit flow the token will still be maintained at the client site (local storage normally). So even if you are hiding the token from URL , you still will be storing at client side and that's one of things you have to manage in SPA. You will have to send token with every HTTP request to your web api to get that authenticated on that end.
In implicit flow tokens are shortlives and you can't issue refresh token for longer period of access. For this kind of flow you need to use official library (ADAL.js)
https://github.com/AzureAD/azure-activedirectory-library-for-js
More resources
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
You can use ADAL.js library to acquire the token. There is a pre defined function which you have to call after the Ad authentication or at the beginning check if you are logged in, you can use isauthenticated function to check if you have already logged in, and use getaccesstoken function to acquire the token after authentication.
I would like to upload a given file to Sharepoint. I'm using the Microsoft Graph API.
The documentation follows this workflow:
1. If no token, redirect the user to the Microsoft signin page.
2. The user is then redirected to the application, with an access token
3. Use access token to have an authorization bearer
4. Do what you gotta do...
My problem is the sign-in part. I don't want my users to be redirected to the Microsoft signin page. I want my application to connect and get the access token in the background (with cURL or whatever).
How can I do that? Why is the "open in browser" necessary?
I tried to replicate the sign-in process, but all I get back is the HTML response from the signin page.
Thanks in advance.
Your application act as a single-tenant service or daemon app.
The documentation about this scenario is here : https://developer.microsoft.com/en-us/graph/docs/authorization/app_only
The application must be registered in the AzureAD directory corresponding to the Office365 tenant
A first request is made by passing the application unique identifier and secret key as registered in the directory. This request returns an access token
The access token can now be used in the Authorization header of the following request to the Microsoft Graph API.
This method (of using Client ID and Secret) works well but there are other ways which may be better suited for similar scenarios.
The one major thing which is missing in access token generated this way is a user, meaning the token only contains the identity of the OAuth application (client) which called it but is not associated with any user for the request.
This could have a couple of implications:
Since the token is not associated with a specific user you will not know who performed the operation. In your example, you would not know who uploaded the file (and other similar information may be missing).
Access token without users will not work at all for some methods. For those, you need a delegated token.
Creating a delegated token requires some effort, if you are interested you can find the details in my article:
Getting Access Token for Microsoft Graph Using OAuth REST API
I am trying to get authentication code and access token but not able to get it as it returns code either in html header or in query string but both method is not supported by Nokia oauth-20.
urn:ietf:wg:oauth:2.0:oob
This value signals to the Google Authorization Server that the authorization code should be returned in the title bar of the browser.
other one:
This value signals to the Google Authorization Server that the authorization code should be returned as a query string parameter to the web server on the client.
Nokia oauth-20 Limitations:
Reference:
http://developer.nokia.com/resources/library/Java/developers-guides/data-handling/oauth-20/creating-an-invocation.html
Redirect must be to an internet site
The mechanism cannot support authentication scenarios where the redirect URL is not an internet site accessible by the proxy server, such as where it is “localhost”.
Token accessibility
The mechanism cannot support authentication scenarios where the token is not returned as part of the redirect URL (for example, if it is encoded in other metadata in the response such as page title).
My question is that there is another option to get access token via web application calling the below url and it works fine if I try it in browser but if I call the link from my mobile using oauth 2 the access token got generated but calling any othe api gives me error 403 insufficient permission.
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/drive&redirect_uri=https://login.live.com/oauth20_desktop.srf&response_type=token&client_id=598197514064-0kvbbg9uiurki0oht8c9hga2jqon5c6e.apps.googleusercontent.com
Thanks
Susobhan Panja
According to the Google Oauth documentation, the URL request format is as follows:
https://accounts.google.com/o/oauth2/auth?
scope=email%20profile&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
response_type=code&
client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrf.apps.googleusercontent.com
You need to set your scope, redirect_uri, and response_type arguments as directed in the docs.