OAuth 2.0 Flow how it works node-oauth2-server - node.js

While implementing OAuth Server in NodeJS with https://github.com/thomseddon/node-oauth2-server
I'm trying to understand flow of OAuth 2.0
Somehow i'm successful with this npm package implementation, But I doubt, Something is going wrong.
I'll explain how i'm successful.
1st REQUEST:
POST: http://localhost:3000/oauth/token
grant_type=password
client_id=1011
client_secret=somesecret
username=admin
password=admin
1st RESPONSE:
{
token_type: "bearer"
access_token: "7f5261011fb0f84a4e193889fff4b7478f2a4cb2"
expires_in: 3600
refresh_token: "da83de41966979ced65b3841e1758335a811c0c2"
}
after getting access token, I'm sending another http call
2nd REQUEST:
GET http://localhost:3000/secret
Authorization: Bearer 7f5261011fb0f84a4e193889fff4b7478f2a4cb2
2nd RESPONSE:
{"data":"Secret area accessible"}
But here i'm fully confused about
Question 1. Authorization_code part is missing
Question 2. In first call I need to send client_secret and user_password - If I sending both means oauth client is exposing secret to user(Browser) or User is providing password to OAuth Client.
Please share me if any request/response pattern of whole OAuth 2.0 like below
a. browser -> oauth server POST /oauth/authorize?client_id,username,password
b. USER GRANTS PERMISSION
c. browser -> oauth server RESPONSE auth_code
d. browser -> oauth client POST auth_code
e. oauth_client -> oauth server POST auth_code
e. oauth server -> oauth_client RESPONSE access_token
f. oauth_client -> resource_server POST /resource?access_token (Question 3. But here how resource server validates access token is valid or not )

OAuth 2.0 defines several ways of obtaining an access token through so-called "grants". Your requests show that you're currently using the Resource Owner Password Credentials grant, see: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3. That grant is indeed exposing the username/password to the Client which is why it defeats most of the purpose of OAuth 2.0 and is for migration purposes only, see: https://www.rfc-editor.org/rfc/rfc6749#section-10.7
The Authorization Code grant is a separate grant type by which a user is redirected with a browser to an authorization endpoint so that the Client stays out of the user authentication process. You seem to refer to that in the flow described in a.-f. Since that is a different grant type, you won't see the "authorization code" as part of the resource owner password credentials grant.
In a correct Authorization Code grant flow, a. would be a redirect instead of a POST as in: a. browser -> oauth server Redirect /oauth/authorize?client_id,response_type=code

Related

Replicate Postman Oauth 2.0 using Python

I have this Authorization request that works.
How can I replicate it in Python?
I am using an Azure AD to authenticate the access.
Since you are working with python, your case is a : Oauth2 login for SSR web applications with Microsoft
Goal
Get an access_token from interactive login using the oauth2 authorization code grant
Steps
Here I will list all the steps required to do it with any language
Create a web with session with at least these endpoints
/ : home page
/callback : server route or path able to receive query params like /callback?code=123456. This along with your base domain will be called redirect_uri. Sample : http://localhost:8080/callback or http://acme.com/callback
Create and configure an app in Azure Dev Console. Same process is in Google, Facebook, Linkedin, etc. As a result you should have a clientId, clientSecret and a redirect url
Create a simple web with classic session in which if user is not logged-in, redirect (302) to this url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=foo&response_type=code&redirect_uri=foo&response_mode=query&scope=offline_access%20user.read%20mail.read
clientid and redirect_uri are important here and should be the same of previous step
After that, browser should redirect the user to the platform login
If user enters valid credentials and accepts the consent warning, Microsoft will perform another redirect (302) to the provided redirect_uri but with special value: The auth code
http://acme.com/callback?code=123456798
In the backend of /callback get the code and send it to this new endpoint
Add a client_id & client_secret parameters
Add a code parameter with the code sent by microsoft
Add a redirect_uri parameter with previously used and registered on azure. Sample http://acme.com/callback or http://localhost:8080/callback
Add a grant_type parameter with a value of authorization_code
Issue the HTTP POST request with content-type: application/x-www-form-urlencoded
You should get a response with the precious access_token:
{
token_type: 'Bearer',
scope: 'Mail.Read User.Read profile openid email',
expires_in: 5020,
ext_expires_in: 5020,
access_token: 'eyJ0oVlKhZHsvMhRydQ',
refresh_token: 's_Rcrqf6xMaWcPHJxRFwCQFkL_qUYqBLM71UN6'
}
You could do with this token, whatever you configured in azure. Sample: If you want to access to user calendar, profile, etc on behalf of the user, you should have registered this in the azure console. So the clientid is related to that and human user will be prompted with something like this
Libraries
There is some libraries provided by microsoft (c#, nodejs) which will save you a little work. Anyway the previous explanation are very detailed.
Advice
Read about oauth2 spec: https://oauth.net/2/
Read about oauth2 authorization code flow login before the implementation with python
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
https://github.com/msusdev/microsoft_identity_platform_dev/blob/main/presentations/auth_users_msalnet.md
Check this to understand how configure the azure web console: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Check my gist https://gist.github.com/jrichardsz/5b8ba730978fce7a7c585007d3fd06b4

For IMAP.AccessAsUser.All Scope ADSTS65001: The user or administrator has not consented to use the application

In my java web application I want to get access to user's mailbox by using jakarta mail. For that purpose I followed https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth for OAuth2 authorization code flow.
On Azure port I setup my app and added API permissions as below
Now user is redirecting to below authorize endpoint:
https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/authorize?client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f&response_type=code&redirect_uri=http://localhost:8080/callback/microsoft&response_mode=query&scope=offline_access%20https%3A%2F%2Fgraph.microsoft.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Fgraph.microsoft.com%2FSMTP.Send
After entering credentials and accepting the consent redirect_uri gets hit with auth code. Based on that auth code I formed token endpoint URL and hitting it from server, the token endpoint is as follow:
URL: https://login.microsoftonline.com/5426ee07-9b73-4a9e-8075-395ab439c6fa/oauth2/v2.0/token
Form Data:
client_id=b6067ad9-7195-430b-a35d-97b7aa7beb8f
scope=offline_access%20https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All
redirect_uri=http://localhost:8080/callback/microsoft
grant_type=authorization_code
client_secret=QUs8Q~aboLBiopTezMTKwzQjIwWsFFXjc2kCRaRs (I know I have shared the secret)
code={code received from authorize end point}
Response to this post request comes as:
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'b6067ad9-7195-430b-a35d-97b7aa7beb8f' named 'Email Connector'. Send an interactive authorization request for this user and resource.\r\nTrace ID: dc008ced-e23f-4919-bd45-b7ae7c68b000\r\nCorrelation ID: 9b6ede03-3c05-4a78-8975-036a3cb20773\r\nTimestamp: 2022-06-07 19:51:30Z","error_codes":[65001],"timestamp":"2022-06-07 19:51:30Z","trace_id":"dc008ced-e23f-4919-bd45-b7ae7c68b000","correlation_id":"9b6ede03-3c05-4a78-8975-036a3cb20773","suberror":"consent_required"}
Here, I don't understand why the error is saying The user or administrator has not consented to use the application, user has accepted the consent after entering credentials on authorize end point. Event more If we look at the screenshot above admin has already given grant to access the directory.
I tried to reproduce the same scenario in my environment and got the same error as below:
To resolve the error, please check the authorize endpoint you are using to get the code.
Avoid using Microsoft graph API scopes while getting the code.
Replace it with the scope you are using to get access token like below:
https://login.microsoftonline.com/Your_TenantID/oauth2/v2.0/authorize?
client_id=Your_ClientID
&response_type=code
&redirect_uri=http://localhost:8080/callback/microsoft
&response_mode=query
&scope= offline_access https://outlook.office.com/IMAP.AccessAsUser.All
&state=12345
Get the code from the above authorization endpoint.
I got the access token successfully after modifying the endpoint like below:
To validate the access token decode it in jwt.io and check the aud and scp claims like below:

How to consume or access Azure AD exposed API(MyApis)?

I have my confidential client and resource client registered in AAD.
The confidential client has API permissions to access the resource client.
After I logged in from the confidential client with my credentials how can I can make a request to the resource client?
Based on the ms docs
For example, if your web API's application ID URI is https://contoso.com/api and your scope name is Employees.Read.All, the full scope is:
https://contoso.com/api/Employees.Read.All
The example is not enough for me to understand like where's the access token?
You could use auth code flow to obtain the access token.
First, get code by the url in your browser. You need to login in this step.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https://contoso.com/api/Employees.Read.All
&state=12345
Then, get access_token with the code.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={your-client-id}
&scope=https://contoso.com/api/Employees.Read.All
&code={the code from the previous step}
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&client_secret={your-client-secret}
About implicit grant flow:
This flow is usually used for single-page apps, and the implicit grant presents more risks than other grants. Please check if the implicit grant is suitable for your app, see here. If not, I still recommend you use auth code flow.
Note: To let it work, you need to select access tokens under the Implicit grant section in the portal first, navigate to App registrations -> your application -> Authentication.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={your-client-id}
&response_type=token
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&scope=https://contoso.com/api/Employees.Read.All
&response_mode=fragment
&state=12345
&nonce=678910
&prompt=none

OAuth 2.0: client_id and client_secret to be send only in initial request for authorization?

Should a OAuth 2.0 Client send his client_id and client_secret only at his initial request for authorization?
Or at every request he sends to the Authorization/Resource-Server?
Thanks in advance!
#Edit 1: We try to implement the 'Resource Owner Password Credentials'-Flow.
#Edit 2: My guess is that you dont need to send it after you aquired the Access Token. Cause when you already have the access token, the client sends his request directly to the Resource Server. But if you need a refresh token and request one from the Authorization Server, then you need to send client_id and client_secret too. Or am i mistaken?
It all depends on what you want to do with oauth (the flow you use).
You should refer to the flows described here :
https://www.rfc-editor.org/rfc/rfc6749
The client_id is required when you redirect to the authorization endpoint of the authorization server. The secret is used when you exchange an authorization code with the authorization server.
Then you should send your access token at every request of your client with your resource server (api) using the header "authorization"

Wrong access_token from AAD with OAuth2 flow

I am making OAuth 2.0 auth code authentication flow with multi-tenant application.
Here is my authorize url:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=my_id&prompt=consent&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauthorize&response_type=code&scope=openid+offline_access&state=17
It goes fine and I receive auth_code. Then I make request with this auth_code to token_url and receive a lot of information, like:
token_type
scope
id_token
access_token
refresh_token
expires_at
ext_expires_in
Seems fine to me, but when I make request on API with access_token like:
https://management.azure.com/subscriptions/my_sub_id/locations?api-version=2016-06-01
with headers:
Content-Type:
- application/json
Authorization:
- Bearer EwBQA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAV1IHgHb4dOWblzfd/YsSuFicAMDYbua17QivnAT9/pIaeKAg3uKsK5VGqWLzjMOUQrCpd7R1RAM6RkzI0u8e4rpO7DISG7qLso5H5+U1jb+38/j1urcwlXMMxhy83ZXmdpkLXpZV+vcOV...
It responds with 401 error
body:
encoding: UTF-8
string: '{"error":{"code":"InvalidAuthenticationToken","message":"The access token is invalid."}}'
To be honest I think something wrong with my access_token. It seems not like JWT for me. Documentation says it looks like:
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCEV1Q..."
But my access_token looks like:
"access_token": "EwBYA8l6BAAURSN/FHlDW5xN74t6GzbtsBBeBUYAAZDe7JE/MPLoAi+Fr+1Xxq5eBe5N9l8Q+c4QjkY5PGEzRnBpPe7+v6h+PLdh1cceBQx+/JsB2QCrYSCt7x/zGsQAhwoY/"
Is it fine?
Here is my permissions for application:
Permissions
The main issue you have here is that you have only asked for an access token for the scopes openid offline_access. The resulting access token will be for Microsoft Graph (https://graph.microsoft.com), not for the Azure REST API (https://management.azure.com).
To indicate you would like a token for a given API, the scope parameter in your authorization request should include the delegated permission you would like the app to have for the API. In the case of Azure REST API, there's only one delegated permission: user_impersonation. The identifier URI for the Azure REST API is https://management.azure.com, so the scope value you want to use is:
openid offline_access https://management.azure.com/user_impersonation
Two more important notes:
As you've discovered, you will not always be issued an access token as a JWT which you can decode peek at. The format of the access token is an agreement between the service which issued the token (Azure AD or Microsoft Accounts, in this case), and the service for which the token was issued (Microsoft Graph, in this example).
You should not always include prompt=consent. prompt=consent should only be used if you have already tried signing in the user without the user needs to be re-prompted for consent for a new permission.
If you simply include the required scopes in the scopes parameter, the Microsoft Identity platform will take care of figuring out if it needs to prompt for consent or not. If you always include prompt=consent, you will find that many organizations will be blocked from accessing your app, because they've disabled the ability for users to grant consent themselves (and this parameter specifically states that you require the user to be prompted again).

Resources