I registered an application in Azure AD.
How can I get access tokens Programmatically without using AdalJS library in JavaScript?
Thank you!
You would have to use the implicit grant flow manually.
You can see some basic documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios#single-page-application-spa.
You'd authenticate the user by redirecting them to sign in, for example https://login.microsoftonline.com/yourtenant.onmicrosoft.com/oauth2/authorize?client_id=your-client-id&response_type=id_token&redirect_uri=https%3A%2F%2Flocalhost&nonce=abcdef.
Of course you'll need to replace values with your corresponding values.
And generate a unique nonce for each request.
Once the user comes back, you'll need to grab the id_token from the fragment and decode it to get the user info.
Then you can acquire access tokens for APIs with a hidden iframe with a very similar URL as before, but this time with response_type=token&prompt=none&resource=https%3A%2F%2Fgraph.microsoft.com%2F.
Replace the resource with the resource URI/id that you want a token for.
Then you will have to listen for the URL change of the iframe and grab the access token from its fragment when it returns successfully (or parse the error in case authentication fails).
ADAL.JS hides a lot of this complexity from you so I'd strongly advise using it if possible.
It didn't work for me, so I use ADAL. I added script on my page using ScriptLink custom action and acquire token there. WHen adal adds iFrame with the link, I redirect there and it navigates me back to my page with parameters in hash (url), so my script retrieves token from urls hash.
Related
I am using react.
I have a link in my App.js:
Grant Access
When a user clicks on the link, it brings them to a login page. Once successfully logged in, the user will be redirected to http://localhost:3001/.
However, the authorisation code will be within the url:
'http://localhost:3001/?code=8FNFZAJoEu10gqVxxW_NKw0EDj31XacCApZN1E4z&state='
How would I extract that code and use it for a GET request with axios from my nodejs?
I simply do not know where to start.
Please look at one of our tutorials, for example, https://forge-tutorials.autodesk.io/tutorials/hubs-browser, where we explain the process of extracting the temporary code and exchanging it for an access token. For that particular tutorial, the important line of code is this one: https://github.com/Autodesk-Forge/forge-hubs-browser-nodejs/blob/develop/services/forge/auth.js#L12.
I started from this React sample application from Auth0 and login through Auth0 works fine but does not give me the expected token.
After login the browser localStorage contains an id_token and a profile object. When I decode the id_token I see that the payload contains something like this:
{
"iss": "https://mycompany.eu.auth0.com/",
"sub": "auth0|5821bc27f92ca3261c628a26",
"aud": "2A8cgDBm86kLCtCNtUMcKPL2G3oqjIdE",
"exp": 1478755859,
"iat": 1478719859
}
The profile contains email and lots of other good stuff from the user profile as registered in Auth0.
I need to parse on the token to my API server and therefore I need the attributes from the profile-object to be part of the token. How can I make the id_token contain all these attributes, so that I can parse it in my API-service and store it the first time the user logs in?
As I see it, I cannot use the profile-object found in the browser localStorage as it needs to be signed by Auth0 in order for my API server to trust the information.
I'm also aware that I can use the id_token to make a request from my API server directly to Auth0 to get this additional information, but I just think it would be simpler and more efficient if the information was carried by the token.
Those are the claims included by default in a id_token; it's possible to request other claims to be included by passing a scope parameter with the appropriate value.
See Scopes - Requesting specific claims, for a reference on what you can pass in the scope parameter in order to influence the contents of the id_token.
To add onto João Angelo's answer, you can't request the entire "App_Metadata" object in scope. If there are app specific fields e.g. lang or favorite color, these have to be called out specifically.
Example App MetaData
Example call
https://example.auth0.com/authorize
?response_type=token
&client_id=YOUR_CLIENT_ID
&redirect_uri=http://jwt.io&connection=google-oauth2
&scope=openid+lang+favoriteColor
There may be additional caveats to the scope parameter, it would be good to ask Auth0 as you run into issues
I am using token based security in my web app. The server side is wrote using c# and i am using openiddict for logging in and issuing tokens, found here. I am currencyly using Implict flow.
By default my tokens have a lifespan of 1 hour, after that you have to logging again. I have locked down my API to accept bearer tokens only and not cookies.
I wanted to implement refresh tokens but after reading many websites, it appears that implementing refresh tokens on a web app, is not a good way to go due to a hacker getting the refresh token. I know that to use refresh tokens, you must use code flow, instead of implict, which i can do.
How do people get round this situation in their web apps? I cant be the only one who wants a token to last longer than an hour in a web app?
The approach recommended by OpenID Connect is to send an authorization request in a hidden frame with the same parameters as the ones you use for the initial implicit flow request plus prompt=none and optionally, an id_token_hint corresponding to the id_token you extracted from the authorization response.
When using prompt=none, the identity provider won't display any consent form and will directly redirect the user agent to the redirect_uri you specify, with the new token appended to the URI fragment, just like for a classic implicit flow request. You can retrieve it by extracting it from the popup.location.hash property.
If the request cannot be processed (invalid request, unauthenticated user, invalid id_token_hint, consent required, etc.), an error is returned and the identity provider either redirects the user agent to the redirect_uri with an error parameter or stops processing the request.
Note that due to the same origin policy, you can't access popup.location.hash if the current location belongs to a different domain (e.g if the identity provider refuses to redirect the user agent to your client app): it will throw an access denied exception. In this case, it's always better to add a timeout to your "refresh" operation.
Sadly, there are very few libraries that can help you with this task. oidc-token-manager is one of them, but it has a few limitations that will prevent it from working OTB with OpenIddict: it doesn't support raw RSA keys (you have to explicitly use a X509 certificate in the OpenIddict options) and it doesn't send the id_token_hint parameter required by OpenIddict when sending a prompt=none request.
My app uses JS Facebook API to use Facebook as a login/pass. Here what happens when you try to login.
User click on the Facebook Login Button
Facebook Authenticates
If Success. I grab the Facebook ID and Name of the user
Calls on my REST API on my APP to check and see if the that FBID is registered in my system.
If Registered, I write the session to verify that the user is authenticated.
This is great since I don't have to store usernames and password. But I am worried that someone will just use a REST API debugger like POSTMAN in chrome and just send a Facebook ID and the name of the user and they will be authenticated.
My question is what is the best way to secure my end that will prevent apps like POSTMAN to just input the fields needed to authenticate? Am I missing something? Can anyone recommend a strategy for this?
Or is using CSRF token the only way to combat this? I am using FuelPHP as a backend and doing a single page app using AngularJS with NgRoutes. But every time I enabled the CSRF on fuel, the token passed does not match what it was in the back-end.
I am under the impression that this is due to that the javascript token function is in the main page, where the ng-view. I know this might have something to do with the ngRoutes.
http://fuelphp.com/docs/classes/security.html
Use Fuel's Auth package. It has Opauth integration which does all the above, and for an entire list of social media platforms, not only facebook.
Always try not to reinvent the wheel, assume someone else has had the same challenge, solved at, and shared the solution with the community.
We have an app which which has various different pages which require authentication; this auth uses Google's oAuth2 flow and is currently working correctly apart from one thing: after we receive the callback from Google at our callback endpoint, we have no way of knowing where to redirect the user after success as we have no idea which page they were on when they first started the auth process.
What happens instead is that we redirect to the same page for all successful requests; this is jarring to the user as they've likely landed on a page they did not request and have to navigate back to the section they desired.
I can't find anybody talking about how to do this and all the Google samples simply do what we do and redirect the user to a standard URL.
We've tried url-encoding the redirect we want as a query parameter on the callback URL we pass to Google initially but this fails as the URL no longer exactly matches the 'allowed' one we have set up in the Google APIs console (and there is only one box to add one).
Obviously our callback method would check any data returned from them before redirecting the user (i.e make sure it's a valid place to redirect the user to) - so, is there any safe way of doing this? Ideally without having to put the URL on the session..
Thanks in advance!
The official technique is to set the state parameter which is returned to the callback url
You can redirect your user to a page with a javascript function to read in the localcache the last url visited before authentication.
You can also use a cookies for that.
This solution can be coupled with a breadcrumb widget on your website.
You can store the fromUrl into the memcache and redirect on this url when you OAuth workflow is completed.
If the memcache value has been unset, redirect to the home page.