OAuth access Jira with google token? - node.js

I am using this npm to authenticate through Google to the system.
I have Jira atlassian, that uses Google to authenticate.
Question
Is it possible to use the token that I received from Google, and use it to authenticate into Jira's API of that user to gather information from Jira such as grabbing all tasks assigned to me, and such?
Or do I have to make OAuth specify for Jira ?

Of course you can do this, that is the point of delegated authentication.
Google will send you an authentication token when user will logs in.
I never work with google. I always used keyclock (3 part OAuth provider). But that is a beauty of a spec it should work everywhere the same.
It will be save in the cookie.
It will have o form of JWT.
You have to attache is token to the request that you send to the jira API.
You can try this with curl first
curl -i http://dev.myapp.com/api/jira ... \
-H "Authorization: Bearer Ym9zY236Ym9zY28=afsfdsf...."
You can find the token when looking at the network traffic in your browser.
Let me know how it went. And if I can help further. I have a pretty good understanding of the OpenIDconnect and OAuth 2.0 standards.

Related

How does Oauth2 (Bearer token) work when getting access_token

I will start off by saying I have followed a guide of how to make a secure API using FastAPI (https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/).
What happens is that you will have two api which one is post and get
POST is where you pass the
curl -X POST "http://127.0.0.1:8000/token" -H "accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=&username=hello&password=world&scope=&client_id=&client_secret="
GET is an api that requires the access_token Bearer to be able to access the API etc http://127.0.0.1:8000/getUser
Now I am pretty confused on how safe you can run the application because what makes me confused is that I would need to make a POST request with my username and password to the API which will return me access_token and I believe with that access_token I later on access the next api which is http://127.0.0.1:8000/getUser? Is this the correct way or am I out of scope?
Because what makes me unsafe is that if I now lets say "hardcode" my username and password into a python script and someone manages to reverese engineer the script/exe/whatever (Maybe even see through network what is sending as params/data)- they will be able to access my token in that case. So what would be the suggestion here?
It's a pretty broad question. A good place to start is probably the OAuth2 RFC 6749.
Some of the foundational understanding that need to get right as a first step is:
A precondition of OAuth2.0 is TLS. Assuming you're using TLS 1.2 or 1.3 with appropriate cipher suites, we can safely assume network sniffing is not a possibility
If you're using OAuth2.0 on behalf of a human user, you'd use "Authorization Code" or "Password Credentials" grant types where the user would enter the username password manually
If you're using OAuth2.0 on behalf of the client itself (NOT a human user), you'd use "Client Credentials" grant type
All these grant types have different flows. Since you've mentioned about hard coding, I'm assuming you're referring to the use case mentioned in point no. 3. Hard coding secrets is NEVER an option. The most secured way to handle this is, storing the secrets in a Vault. A less secured option is to store the secret in a separate file in encrypted form.
I'll recommend you to read the following answers as well:
https://stackoverflow.com/a/59433000/1235935
https://stackoverflow.com/a/54011649/1235935
https://stackoverflow.com/a/54258744/1235935
https://stackoverflow.com/a/59464645/1235935

Should my app issue it's own access tokens, when using external oauth2 provider (facebook)?

I would like to give the users a possibility to login with some external oauth2 provider (facebook) in my app. The client's part is running on mobile device in a native app.
I am not sure which of the approaches below should I prefer ?
Should the client send the user's access token by facebook with each request ? At each request backend asks facebook to validate the access token. Based on the validation's result, backend performs authorization and return corresponding result to the client.
Should the backend ask facebook to validate the access token only at user logon, then issue its own access token, return the access token back to the client and client will use this access token at making requests to the server to avoid contacting facebook at each request ?
I have read some questions about how to implement the auth with facebook and most of the devs are using B, but I haven't seen any explanation why is it good/bad to use A ?
What I see as benefits of the solutions:
backend doesn't need to care about issuing, refreshing, validating access tokens since this is done only by facebook's authorization servers.
this solution seems to be more effective, since it does not require to connect to facebook at each request.
Security tokens issued by Facebook are signed with a digital signature. The API server only needs access to the public key to validate the signature. There's no need at all to contact Facebook after the user authenticates.
A reason to issue your own tokens after the user signed in with Facebook could be to add claims to the token. But obviously having your own authorization server comes at a cost. It's up to you to weigh the pros and cons.
If you do decide to have your own authorization server, make sure not to write your own! There are open source options like Thinktecture IdentityServer.
I will vote for option B and here is my explanation,
Your API must authorise the request every time with some auth token , which cannot be external provider token, in such case anyone with an access token (eg: other developers) of other provider can access your api, basically there is no auth here.
When your sever issue access token, it's easy to validate and when needed could be revoked easily (eg: on password reset)
While authenticating , your server has fully control over issuing access token , so the validation is made only once and doesn't have to do every time while calling the API.

Using Passport module in Nodejs for OAuth

I am new to Node.js, OAuth.
I am developing a web app using Nodejs. My application is interacting with the third party API to get data. Per documentation of API "All methods in this third party API take OAUTH authentication parameters in request header"(that's it no more details)
I decided to use Passport module of Node.JS to achieve this(http://passportjs.org/guide/oauth/).
My Problem is I am unable to understand how to proceed with this. Let say we have an API method "http://api.travel/getAllLocation" which returns all locations where user can travel.
Can someone pls help here by providing example how to use NodeJS, Passport to get required data from webservice .
[Update]
Have found this answer which is trying to achieve the same thing. But how to achieve the same using Passport
How to send the OAuth request in Node
It sounds to me as if you're trying to use Oauth to access someone else's API correct? If that's the case, you need to interact with the API by doing this:
Requesting an Oauth token given an API key.
Putting that token into your HTTP Authorization header so that the third-party API can identify and authenticate you.
The way you can request an API token (typically) via the command line using cURL is as follows:
$ curl -v --user api_key_id:api_key_secret -X POST https://api.something.com/v1/auth?grant_type=client_credentials
This will typically return some sort of token (hopefully a JSON web token!) that you can then use to identify yourself. Here's an example cURL request that properly specifies a token:
$ curl -v -H "Authorization: Bearer tokenhere" https://api.something.com/v1/blah
Using Node, you can craft these HTTP requests with the https://github.com/request/request library. Again, if you link us to the exact docs, I can help ya further =)

Github API OAuth token validation

Is there any way to validate my OAuth token for the github API? By 'token' I mean the one I get after the user has logged in to my website. I store it on the client computer using cookies, but just checking if there is a token is not enough: I need to actually check if the token is valid or not. Currently this requires me to make a request for information and then catching the errors. However, this is really damaging my rates and also my load speed as the github API is sloooow... I am using Node.js, express and the octonode library.
I tried looking at the github API docs, but they are minimal. Maybe this is to do with OAuth.
Check headers to see what OAuth scopes you have, and what the API action accepts:
curl -H "Authorization: token OAUTH-TOKEN" https://api.github.com/users/codertocat -I
HTTP/1.1 200 OK
X-OAuth-Scopes: repo, user
X-Accepted-OAuth-Scopes: user
From the Github API docs on authorizations:
OAuth applications can use a special API method for checking OAuth token validity without running afoul of normal rate limits for failed login attempts.
Authentication works differently with this particular endpoint. You must use Basic Authentication when accessing it, where the username is the OAuth application client_id and the password is its client_secret. Invalid tokens will return 404 NOT FOUND.
You can do this with curl:
curl -u client_id:client_secret https://api.github.com/applications/:client_id/tokens/:token
Or, if using fetch, use Curl to Fetch.
This is compiled from the helpful comments on the OP's question.
curl -H "Authorization: <TOKEN>" https://api.github.com/
Or
curl https://api.github.com/ -u <USERNAME>:<TOKEN>

OAuth 2.0 authentication for own mobile client

I am developing an app using node.js which will also have an mobile client. I am looking to make the authentication using OAuth 2.0. Is there any good module which allows me to have OAuth 2.0 authentication server?
I looked at a subsidiary module of Passport "OAuth2orize". I found it quite good enough, but the real problem was understanding how it will work for my own app (the example and docs specify about third party authorisation).
Basically what I want is that the client logs in with client id, user's username, user's password and there by I hand him a token after verifying the above 3 things. But the problem with Oauth2orize is that there there are redirect URI and all which is confusing me a lot.
Please help me know as to how can i achieve this using Oauth2rize or any other really good module. Or If its easy enough I can also roll my own, but will that be a good idea regarding security ??
What you are looking for is the Resource Owner Password Credentials flow. As you've seen, the examples for oauth2 do not include functionality that supports this flow. In fact the examples only cover the Authorization Code flow.
It should end up being fairly easy to implement. All you need to do is accept a request that contains the information you are looking for (and authorize it) and create a token in your token database and return it. As long as you use the same token database that the rest of oauth2orize is using, it should work just fine. See: Passing Trusted Client Information with oAuth2orize for the "Resource Owner Password Flow" where that is exactly what is suggested.
Correction:
The all-grants example of oauth2orize supports the Implicit flow as well as Authorization Code flow.

Resources