I want to create an API with Mulesoft to be able to obtain the token from calling the OAuth2 Ping provider.
Related
I want to implement authentication with a rails-react app.
I am using OAuth with google as the authorization server.
I am using it to authenticate users on my rails api, not to get access to some of google APIs for a given user.
I want to use token based auth. I am using the gem omniauth to help with the process of exchanging the authorization token for the access token between the rails server and google.
Considering that the client (react) needs to always send a token in the header of every http request sent to the server, once I have an access token how do I verify this token sent by the client?
Here are my thoughts:
Verify the token on the server side
1 - How do I use the token to verify that the request coming from the client is coming from an authenticated user? Store in the db and compare it for every request? Query the OAuth authorization server every time to validate the token (If that is even possible) ? JWT ?
2- I understand that there are multiple flows to obtain a token from a OAuth provider. Omniauth seems to abstract this part of the token exchange with the OAuth provider am I correct?
Give the token to the react client
3- Once I get any token (whether its a JWT or a simple access token), I need to pass it to the react client, which is not secure as anybody could get a hold of this token and make a request to the api with a stolen identity. I think I missed something here as this doesn't make sense?
Thank you!
I am using React JS in frontend and AWS Server less architecture as the backend of the react application.
So, for the user authentication and authorization I am using the AWS Cognito Service. and for making the requests I am using the axios.
Now, I want to integrate APIs which are created with the AWS API Gateway with cognito user pool. I am able to sign in to the user session and retrieving the id Token, access Token, and Refresh Token. and I am sending the ID Token in the all request which are created with AWS API Gateway. But How can I know that token is expired? because when token is expired it is sending the Network error instead of message("Token is Expired.").
In short I want to handle situation if token is expired or token is invalid. what I have to do?
Give the basic flow of handling the all requests(GET, POST, etc...) using axios.
I'm following this documentation to get an access token to call Graph APIs for Outlook Calendar. I've registered my app on Azure AD admin center, created a client secret and exposed relevant APIs. The app is configured for multi-tenant access and I'm using OAuth v2.0 endpoints for authorization.
I can successfully get the authorization code but get this error when requesting an access token:
"error": "invalid_client",
"error_description": "AADSTS7000215: Invalid client secret is provided.",
"error_codes": [
7000215
],
I send urlencoded client secret with the access token request, as mentioned here
You provided an invalid client secret.
Just copy it from Azure AD app and paste it into your request. There is no need to url encode it.
I am developing the web application using ReactJS(Front-end UI) and Scala(Back-end API). I have implemented the backend services as microservices.
Here I have integrated OAuth2 authorization framework and used OAuth Access Tokens. After user authentication, I am passing the OAuth access tokens in every sub sequent request headers.
I did see in some website links, we should use JWT token in the OAuth2 flow instead of "OAuth access tokens" to delivering a Secure API.
Should I integrate JWT token in the existing OAuth2? Please share your suggestions. Thanks.
OAuth2 ia an authorization protocol and does not dictate the format of the access_token so you could return a JWT from the authorization server containing the scope/permissions and the expiration.
Would recommend to go through this
https://auth0.com/blog/ten-things-you-should-know-about-tokens-and-cookies/#token-oauth
I am using Ping to authenticate users in a Angular/.NET Web API stack, utilizing WIF. WIF works out of the box by just putting in the correct configuration in web.config in a MVC or web Forms application. It intercepts any call to a page/controller requested and if no token available redirects to Ping for authentication.
Q1
In my stack that wont work as the web portion of this application is html/Angular. I could put the Ping configuration into the web api config file and then when angular calls the api, WIF will intercept it and (hopefully) redirect user to ping. But not sure if web api can do a http redirect. Also, pages that probably don't do a api call will load up just fine without authentication...
Q2
Lets say Issue 1 is resolved and user authenticates himself at ping, ping will need to send that assertion to the web api layer and not to html/Angular as it is a POST response. That is fine and web api will check the Claims object to get the user info. After which we will need to redirect the user to go back to the page he was trying to access, which now, app will not know anymore. Also how to achieve http redirection from web api.
Q3
Is there a way for Ping to post to a html/angular page?
Thanks for your help...
Due to the RESTful nature of APIs, they will not be able to do an HTTP Redirect. Even if they could it would be during an AJAX call and not affect the browser.
Out of the box WIF only supports the following protocols:
WS-Fed
WS-Trust
WS-Security
WS-SecurityPolicy
WS-Addressing
I suggest using the OAuth 2.0 Implicit Grant Type for the Angular/WebAPI portion.
That being said, the claims-based identity provided by WIF and OAuth are really complimentary. You could write an OAuth extension for WIF similair to the one referenced here: https://msdn.microsoft.com/en-us/library/azure/gg193416.aspx
This is what I imagine the flow would look like:
Angular app requests information from WIF protected API
API returns status code 401
Angular app performs redirect to Ping OAuth Authorization Endpoint
User Authenticates if they do not already have an existing session with the SSO IdP Server
Bearer token is returned to the Angular app
Bearer token is added to the Authorization header and sent to the API
WIF intercepts the request, extracts the Bearer token and calls the Ping OAuth Token Endpoint to validate the token
Ping returns a token that has the "Claims" information you are looking for, those claims are then injected into WIF.