We are actually using GRAPH API to access active directory users and groups from a Jira script.
For that we use the so called "no user authentication" by using Secret Key and Client key after registering an application on Azure AD.
We undertand the following points
Before sending any POST request to Graph API we need to get a valid Token.
The token value is associated to permission in place
If we change the permission, we need to get a new token to include the change
Our question is as below:
First can you confirm that we we state above is correct ?
Does it means that before each request we need to request the token each time to be sure it is valid ?
Is tehre any expiration of a token which is send with each request ?
Thanks for those clarification
regards
When you acquire an access token, the response contains the expiration time.
By default it is one hour.
You only need to get a new token if the one you have has expired/is going to expire soon.
Related
I want to store Access Token after login to memory cache so that I can validate token on every request and deactivate it when user logout (currently the token is not removed after logout).
I have searched and tried some solution but they didn't work.
Could anyone give me some advices to get token and how to validate it? Thanks
One option is to use IdentityModel.AspNetCore together with a SessionStore in AddCookies, just like this picture below shows:
The SessionStore in AddCookies can then cache the tokens in memory, instead of as by default storing the tokens inside the cookies.
As an alternative you can add an EventHandler to AddCookies that triggers each time a request arrives and there lookup if a token should be disabled.
The alternative is to use Reference tokens with IdentityServer, then the API's receiving the tokens must ask IdentityServer on each request if the token is valid or not.
I am using Passport-local on Node.js (saving user info in Mongodb) and Angular.js as the client. The process is easy.
However here are 3 security concerns:
When I do the login on the client, a json file with user and real
password are sent to the server.
After I login, the token will be saved in the Web Explorer's local
storage, which can be seen, copied and used in future.
The salt processed jwt token are saved with the username in Mongodb Users Collection, which can be seen and move to another
server (so that we can use the same username and password from
another server to log in and get a new token)
Would anyone like to discuss further about these? Any ideas on how to solve them, and reduce the risk of the website? How about using https?
There is no need to store token in your user schema if you just want to verify your token on other server instances as well. Because, jwt.verify() gives you the functionality to check if the token is valid or not . And if the token valid then you get user info in return which you have used at time of token creation. If you find that user in your database then your token is ok with valid user, otherwise not.
Main thing when creating token is, set expiresIn according to your server demands, so that even if your API security is compromised, it wont be available for long time
For example, suppose I want to determine if a user is still "logged in"... AKA their token is not yet expired.
I store my JWT access_token in localStorage when I am first issued the access_token. I know it isn't enough to simply check the localStorage to see if the access_token is there or not. I read about the introspection end point but that seems like it is for API's - not JS clients. Is the best approach to use a client side library for JWT validation? I don't like this because there is a chance I may need to switch to reference tokens. I would like to make a call to the server side for this.
What is the correct way to validate an access_token with a JavaScript client?
Update:
Upon further investigation and with advice from leastprivilege I will be using the OIDC JavaScript client so I don't need to worry about this.
Client applications are not supposed to "decode" an access token. The exact format is an implementation detail between issuer and API.
When requesting an access token, the token response contains an 'expires_in' parameter that tell the client for how many seconds the token is valid.
Most jwt tokens come with an expiry date field for expiration time(depending on the server though). You can use a library like this to decode a JWT token before saving it into your local storage and then save the expiration time inside with the token so that you can just check the local storage and the expiry time and if the current day is grater than the expiry time, you discard the previous token and get a new one.
This library might be useful to you: oidc-client-js. Some documentation is available here.
I need some suggestions from people who maybe had an experience with similar types of applications.
I am building and app that should be use for on line testing. For example if you want a job in some company, HR can create test session for you, and send you a link to an app.
That email will contain a link.
On link click I want to hit my angularjs app. AngularJs will get session id from the link it should make a request to server.
Server then needs to check db and try to find a test session with that Id, and return some response. (session data if it's ok or some message that session is expired, etc.)
The problem here is usage of JWT tokens. For example, when HR uses part of app, it has to be authenticated, which is done by jwt tokens.
What is the best practice when you have users on the other side? Like people who will take the test. They do not have jwt token, but server will expect something for authentication.
Should user get some custom token that will expired when test session expires, then maybe I can decode that token on angular side and check user role or something like that.
Did anybody had experience with building an app that can be access over a link?
Here is a possible scenario
HR connect to the app and generate a new test session
Create a new test session in the database with all the necessary info + add 2 columns : Token + Token_Expiration. The Token will be a random string and the Token_Expiration is now + x hours
Send link with token to the user by email. e.g : http://myapp.com/?token=ahdk5d5ek4945gol
User click on the link that redirects him to the landing page.
Retrieve the token from the url and send it to the server
Server must check if this token exists inside the database
If the token does not exist - Forbidden access
If the token exists - Check if the current time does not exceed the Token_Expiration
User finish the test
Server must remove the Tokenor use a third column Valid and set it to false
Send custom token with link and based on that authenticate user
then find session id for that custom token and return response
and invalidate custom token after completion of test.
I am building a glass app using the PHP sample app as reference.
To my understanding, the glass app is a web app which is user facing. When the user visit the web app, they will authorize the web app (using oauth2) to access their resources, and once authorization succeeded the web app will get an access token, which is then saved in a sqlite database (there's this store_credentials() function which stores the access token).
So if I have 100 users who visit the web app and register, the database will hold 100 access tokens for these users. Let's say I have some backend code which pull from a RSS feed every hour, and whenever I find there's a new story I will push it to all registered users. Let's say I have a cron job which does this, when when this job is triggered, I will find all the access tokens in the database and use them to make mirror API calls to insert cards. But what if some of the access token is expired when I am trying to make the mirror API call? It seems I will need to ask user to re-authorized, but at this point I am not interacting with the user. If I have a refresh token, I may be able to call oauth again to get a new access token.
Thanks.
You pretty much answered your own question - when you request permission using OAuth, you should also request "offline" access. The first time you do this for each user it will give you a refresh token along with your access token, and you should store both. If you did not request offline access initially, you will need to revoke the tokens that have been granted and re-grant them with offline access.
If the sample app you're referring to is the one at https://github.com/googleglass/mirror-quickstart-php, all this should be done for you already with the libraries included. The credentials returned from $client->getAccessToken() in oauth2callback.php should include both the access and refresh tokens, and these are saved in that same file by calling store_credentials(). The client libraries should check if the access token has expired and, if so, it gets a new one with the refresh token before making the call.
You may want to take a look at the contents of the credentials object at these various points and make sure there is a refresh token. If not, try revoking all the tokens and starting again, since it sounds like the first time you authorized the client you did so without requesting offline access.
If you are doing this yourself, best practice is to either refresh the access token if it has expired or is about to expire (since there may be some delay) before use, or (even better) attempt to make the call with an access token and, if it fails with an authentication error, get a new access token via the refresh token and try again.