I am trying to get authentication code and access token but not able to get it as it returns code either in html header or in query string but both method is not supported by Nokia oauth-20.
urn:ietf:wg:oauth:2.0:oob
This value signals to the Google Authorization Server that the authorization code should be returned in the title bar of the browser.
other one:
This value signals to the Google Authorization Server that the authorization code should be returned as a query string parameter to the web server on the client.
Nokia oauth-20 Limitations:
Reference:
http://developer.nokia.com/resources/library/Java/developers-guides/data-handling/oauth-20/creating-an-invocation.html
Redirect must be to an internet site
The mechanism cannot support authentication scenarios where the redirect URL is not an internet site accessible by the proxy server, such as where it is “localhost”.
Token accessibility
The mechanism cannot support authentication scenarios where the token is not returned as part of the redirect URL (for example, if it is encoded in other metadata in the response such as page title).
My question is that there is another option to get access token via web application calling the below url and it works fine if I try it in browser but if I call the link from my mobile using oauth 2 the access token got generated but calling any othe api gives me error 403 insufficient permission.
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/drive&redirect_uri=https://login.live.com/oauth20_desktop.srf&response_type=token&client_id=598197514064-0kvbbg9uiurki0oht8c9hga2jqon5c6e.apps.googleusercontent.com
Thanks
Susobhan Panja
According to the Google Oauth documentation, the URL request format is as follows:
https://accounts.google.com/o/oauth2/auth?
scope=email%20profile&
redirect_uri=urn:ietf:wg:oauth:2.0:oob&
response_type=code&
client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrf.apps.googleusercontent.com
You need to set your scope, redirect_uri, and response_type arguments as directed in the docs.
Related
I created an Api in azure and recently tried to change to authentication method to access it via OAuth2.
I requested a token using https://login.microsoftonline.com/[TENANT]/oauth2/v2.0/token/ and tried to use it to access my api via postman.
Then I tried to use the received token to make a request to my api:
I used Postman's Authorization pane to specify OAuth2.0 as the authentication method and set the Grant Type configuration to "implicit" and sent a request.
Configured like this, the request goes through using the "http" version of my api but as soon as I try to use the "https" version, I get a 401 error "Unauthorized".
Have I configured my api wrong ? Or am I using the wrong url to authenticate ?
Thanks a lot for your time.
After a lot of research I found out what was wrong :
I had to add the application ID in the allowed token audiences of identity provider (in the azure app service, navigate to authentication > locate the identity provider > click on edit > at the bottom of the page add the your app registration's application ID. For good measure I also added api://[APPLICATION ID]/.default and api://[APPLICATION ID]
There was still some authentication code left in the source code of my api. When I was trying to connect I sometime had a response which consisted of HTML titled "Sign in to your account". It was caused by a segment of code in the startup.cs file of my api which verified the user who made the request against my Azure AAD. After removing it I no longer had the error
Background:- I'm trying to implement the Implicit Grant REST API of DocuSign.
According to the documentation provided by DocuSign:-
After consent has been granted, the Authentication Service verifies that the client application is valid and has access to the requested scope. If so, it redirects the access token to the provided callback URI in a hash fragment.
The response contains the following hash fragment parameters:
http://localhost/#access_token=eyJ0eXAi.....9LyiFrUqvdw&expires_in=28800&token_type
Problem statement:-
After redirection we are trying to read the access token from the hash fragment of url section, but we are facing below issue:-
We are trying to open docusign window through iframe, we are getting the below error
Refused to display
https://account-d.docusign.com/oauth/auth?response_type=token&scope=signature&client_id=cab75309-6eb3-4969-a15d-fff35513e179&redirect_uri=https://www.sirionlabs.com/
in a frame because it set 'X-Frame-Options' to 'sameorigin'
So we tried to login to docusign app in another browser tab and then we are not able to read access token from the user, though we are getting the token printed on browser console.
How can we read the token received after login-in to Docusign service, so we can redirect that token to our app for further processing?
You cannot use an iframe for DocuSign authentication.
This is a security concern.
Users must see the URL at the top to know it's DocuSign and secure etc.
Please use a different window or redirect.
I have an Ionic 2 app that works as a native app and as a progressive web app hosted on an Azure Web Site (which is not the same site as my API App Service Site). On the mobile side, I can get refresh tokens successfully by using the mobile SDK's login method and the making the REST call. However on the web side (PWA), I can't use the SDK to login because InAppBrowser won't work because login.microsoftonline.com sets X-Frame-Options to DENY. Therefore, I redirect the browser to /.auth/login/aad?session_mode=token&post_login_redirect_url= with a redirect URL coming back to my PWA index page. That sends me the token back via #token which I am able to parse and use to successfully authenticate to my back-end API.
What doesn't work for me is calling /.auth/refresh. That always gives me the error:
The refresh request issued by sid... failed because no refresh tokens
were found in the token store.
The API App is configured to return an access token for graph.microsoft.com and I can see the refresh token in an initial call to /.auth/me. I can also login directly via a browser session using /.auth/login/aad and no parameters. There I can call /.auth/me and /.auth/refresh successfully
So what I am trying to figure out is how to make this work in the browser. I need the user to get redirected back to my app so I specify the post_login_redirect_url parameter. With that the user gets logged in successfully and redirected to my app. However, that is when the call to /.auth/refresh fails with the error above. I am hoping this is just a matter of not passing the right parameters to the login endpoint but I am not sure.
I am trying to implement SAML authentication through nodejs. We got issuer id and assertion url (assume abc.com) from the third party SAML maintenance team.
I have tried both the following two libraries.
https://github.com/lmarkus/passport-saml-encrypted
https://www.npmjs.com/package/saml2-js#note_options
I am facing following issue. Assume i am currently in the url
http://127.0.0.1:58374/index.html#/home. Now if click login button, it is going to the identity Url. After giving the user credentials, it validates and directly redirecting to different url abc.com which is given by third-party maintenance team. Whatever callback url, i am giving at backend it didn't use.
My problem is after providing the user credentials, control is not coming back to backend node server where i can fetch SAML response. Just identity portal directly redirects to the given url. So not able to get the SAML response data.
How do i can recieve the SAML response after login validation before re-directing. Kindly share your thoughts.
thanks
r karthik.
We have a web service, which currently uses Basic Auth over https to authenticate user requests. We also have a website which uses the service, and a native Windows client, which also uses the web service. I've read about OAuth, and it seems like it's always used for giving or getting access to external resources, i.e. delegation, but I'm trying to understand if it's a replacement for Basic Auth.
I'm not quite sure how all the parts fit together. Do you use Basic over https to the website to retrieve a secret and then have the javascript which is making requests to the REST services authenticate to the web service using OAuth instead of Basic?
It seems that at some point the user needs to enter their username and password into a form. I'm not sure what typically happens next. Is this even a use case for OAuth?
If you have local database accounts for the users (Resource owners) then you can replace the basic authentication with the one of OAuth flow named "Resource Owner Password Credentials" flow.
It is very simple flow where you issue HTTP post to an end point specified in your HTTP server usually named /token The content-type for this HTTP Post action is x-www-form-urlencoded, so the post body will contain something like this grant_type=password&username=Taiseer&password=SuperPass
One the request is sent to the /token end point the server will validate the user credentials against your database store, and if all is valid it should generate a token (signed string) which contains all the claims for this resource owner (user). Then your client application should present this token in the Authorization header with each call to any protected end point using bearer scheme.
This token expires after certain period and you can configure this from the AuthZ server. You can read my detailed blog post Token Based Authentication to get more details.