I have the consumer key and consumer secret key for Foursquare and flickr..
I want to get access token and access token secret key..
Can some one help me on this???
To get an access token for a user, the user must authorize your consumer to act on its behalf. See https://developer.foursquare.com/overview/auth for more details on how to accomplish this for foursquare's API.
Related
I'm trying to have a user login using an Azure B2C custom policy, and then use the token that is passed to the redirect URI to make authorized calls to our APIs. I'm aware that the token given after logging in is an id token, but I haven't seen a way to exchange it for an access token.
Using the id token worked for Azure API management, but not in logic apps as it expects the issuer to be login.microsoftonline.com.
Is there a way that I can exchange the user's id token for an access token, or a better way to secure endpoints so that only logged-in B2C users can access them?
Azure AD B2C supports both the id token and access token where id token contains claims that you can use to identify users in your application and access token are used to identify the granted permissions to your APIs.
There is no way to exchange id token for an access token, but you can request for the tokens in the request by passing id_token+token in the response_type while authenticate the request.
GET https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize?
client_id=xxxx
&response_type=id_token+token
&redirect_uri=https://www.jwt.ms
&response_mode=fragment
&scope=openid%20offline_access
&state=arbitrary_data_you_can_receive_in_the_response
&nonce=12345
I have an Azure AD App on my tenant that is configured to accept multiple tenants AND personal accounts.
I follow the procedure to retrieve an AccessToken as explained here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
When I receive the "code" in my app from the Microsoft web page, I exchange it for an access token calling the endpoint "https://login.microsoftonline.com/common/oauth2/v2.0/token".
Here the behavior differs whether the user that logs in is a work account or a personal account.
With work accounts, I receive a normal JWT Token and everybody is happy: I can decode the token and read the claims.
With personal accounts, I receive another token, that is not a JWT Token and I don't have any clue on how to:
validate this token
read a few information from the user (specifically, the email of the user)
Could you please help me understand how to perform these two actions?
NOTE: I have seen the answers here: Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens but my case is slightly different, since I don't want to access MS Graph with this token, I just need to retrieve the email of the user.
Thanks!
cghersi
The access_token in OAuth2 is not required to be an JWT per the OAuth specification.
However Microsoft supports OpenID Connect, that provides an id_token. The id_token is always an JWT.
To "upgrade" your OAuth request to an OpenID Connect request you simply have to add the scope openid (and possibly email to ensure you get an email).
Then when you exchange your code to an access_token you also get an id_token
We are trying to integrate DocuSign with our product.
Our Scenario: Our organization has a (partner) account. We created an Integrator Key (ClientID) and Secret. We want our clients to use their own accounts (which are not child accounts (Admin - user relationship) to our partner account) for the creation of envelopes and generate signing URLs along with our integrator key and secret.
Steps followed:
Created an account (Partner Account).
Created Integrator Key and Secret.
Our scenario is considered as User Application and using Authorization Code Grant Mechanism to get the auth code.
Clients are redirected to DocuSign portal for getting authenticated. (using authorization code grant mechanism by passing our integrator key as a parameter)
Client grant consent for our application to use their credentials for the creation of envelopes.
Receive the auth code.
Using clients authcode and Partner accounts Integrator Key & Secret, trying to fetch the refresh and access token. But DocuSign API (OAuth/token) is responding back with "Bad Request" (400) as response.
In place of the client account, if we are using same partner account credentials, then API (OAuth/token) is responding back with correct refresh token and access token.
Question: Can an integrator key and secret of one account be used along with the auth code of another account (both accounts doesn't have any relationship(Admin-User)) for fetching the Access token & Refresh Token.
API's Used:
Get Auth Code - https://account-d.docusign.com/oauth/auth (Partner Account (Integrator Key & Secret) & Client user credentials in DocuSign Portal)
Get Access / Refresh Token - https://account-d.docusign.com/oauth/token (Auth Code from previous response & base64(Integrator Key:Secret))
Reason: we don't want to store user credentials or ask users to log in every time when they want to use their DocuSign account in our application. So we want to get consent from a user and store their refresh token with us. Use their refresh token and our integrator key from next time for calling DocuSign API's.
Update
(I work at DocuSign.)
Via additional information supplied to DocuSign, we were able to find our internal logs for the OP's OAuth transaction that failed. We could see from the internal log that, indeed, the problem was that the Authorization Code had expired.
During an OAuth flow, as soon as an application receives an authorization code, it should immediately turn around and use it to get the Access and Refresh tokens, and related information. We will be updating our documentation to state this issue clearly.
Original answer
Everything you're doing sounds exactly right. Especially since the user is receiving the permission screen the first time after logging in to DocuSign via your application.
To answer your question directly: yes, a client id (Integration Key) can be used by an app for any DocuSign user on any DocuSign account.
One idea: is your application requesting the tokens immediately after receiving the authorization code? The authorization code itself times out after a couple of minutes.
You're saying that if User A logs in it works (User A belongs to the account that manages the Client ID), but if User B logs in it doesn't work? I haven't seen that issue before. I'd create a new demo developer sandbox with User C and have them try to login.
Is all of this on demo or production?
I need clarification with sample or reference link for below items:
How to enable automatic renewal of access token?
How to get active access token and expiry time ?
Is there any possible ways to get Ad username, password and client id again from access token?
How to validate access token ?
It all needs to be implement in c# not in powershell.
How to enable automatic renewal of access token?
Upon successful authentication , Azure AD returns two tokens: a JWT access token and a JWT refresh token .When the access token expires, the client application will receive an error that indicates the user needs to authenticate again. If the application has a valid refresh token, it can be used to acquire a new access token without prompting the user to sign in again. If the refresh token expires, the application will need to interactively authenticate the user once again.
How to get active access token and expiry time ?
For how to authenticate users and get an Azure AD access token for your azure ad app , you could refer to Authentication Scenarios for Azure AD .The Azure Active Directory Authentication Library (ADAL) enables client application developers to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls. ADAL is available on a variety of platforms. You could find code samples and common scenario in this document .
Is there any possible ways to get Ad username, password and client id again from access token?
You could get decode the access token , find the upn claim which Stores the user name of the user principal ; appid claim identifies the application that is using the token to access a resource. Please refer to document :Azure AD token reference .And of course ,you can't get password information .
How to validate access token ?
JWT tokens are signed, but not encrypted when received. It must validate the signature to prove the token's authenticity and validate a few claims in the token to prove its validity. The claims validated by an app vary depending on scenario requirements, but there are some common claim validations that your app must perform in every scenario.For example, we need to verify the iss and aud claim if you were developing a single tenant app. And you also need to verify the nbf to ensure the token is not expired. For more details , please refer to Validating tokens .
Here is a code sample for how to manually validating a JWT access token in a web API . And if you were using the OWIN components in your project, it is more easy to verify the token by using UseWindowsAzureActiveDirectoryBearerAuthentication extension , code sample here is for your reference .
I am trying to gather metrics info of azure resources. For that i need an access token to authorize. But to get an access token i have to give client id, client secret, subscription id, tenant id.I was wondering if i could get this access token without giving so many details except username and password of my azure account.
Basically you need the parameters. Azure's APIs are protected by Azure AD so you have to authenticate against it first. If you want to make calls as the user, you still need to authenticate with one of the few ways available. The password grant (as shown in #4c74356b41 answer) is one option, though it is not really recommended. The reason is that if the user's password has expired or has MFA enabled, it won't work.
What you usually do is request the user to login via Azure AD sign-in page (via redirect or web view), and then exchange the resulting authorization code for an access token and refresh token. Then you can make calls against the APIs as the user.
Another option is to register your app in Azure AD and grant its service principal some roles in your Azure subscriptions/resource groups/resources. Then it can authenticate with client credentials (using only its client id and secret + your Azure AD tenant id).
it is possible, but it is considered not safe. And you would still need a lot of parameters:
Name Description
grant_type The OAuth 2 grant type: password
resource The app to consume the token, such as Microsoft Graph, Azure AD Graph or your own Restful service
client_id The Client Id of a registered application in Azure AD
username The user account in Azure AD
password The password of the user account
scope optional, such as openid to get Id Token
Reference:
https://blogs.msdn.microsoft.com/wushuai/2016/09/25/resource-owner-password-credentials-grant-in-azure-ad-oauth/
ps. Don't mind Walter, he is wrong like 50% of the time in his answers.
It really depends on your need and if you want this fully automated or not.
If you want to have a token for a ServicePrincipal, the answer of 4c74356b41 is a great way to do it.
However if you would want to obtain a bearer token for a user (you or another AAD user) that is already authenticated in a PowerShell session, you could do this very easily if you use this piece of code that I wrote.
https://gallery.technet.microsoft.com/scriptcenter/Easily-obtain-AccessToken-3ba6e593
Basically what it does, it fetch the current token from the token cache and return it to you. This way you don't have to deal with clientId, cliendSecret or certificate. I use this all the time when I need to call the Azure REST API on a Just In Time fashion.