I'm using IdentityServer 4 and I want to customize the Introspection response to include the user's claims whenever the user send it's reference token for validation. I couldn't find any documentation about customizing the Introspection response. Is it possible? Is there a better way for the user to get it's claims?
Thanks!
Related
I'm trying to validate a token (just using postman), final solution would be written in Java (spring). The problem is I don't find the exact URL to validate the token against AAD.
I found this helpful article : https://learn.microsoft.com/en-us/answers/questions/884100/azure-ad-access-token-validation.html
And in that article they said to validate the token against this URL: https://login.microsoftonline.com/<<<tenant_id>>>/v2.0/
The problem is I got 404 when I hit that URL.
I also got "200 OK status" when I hit this URL https://login.microsoftonline.com/<<<tenant_id>>/oauth2/v2.0/authorize no matter what I put in the token !! Which is strange!
This link works for me: https://login.microsoftonline.com/<<<tenant_id>>/discovery/v2.0/keys - and I get back a very descriptive JSON, but I am still stuck.
Could you please provide me the URL which would give me 200-ok when I have a valid token, and also to give me a bad-invalid response when I have a wrong token ?
I found some sample Postman requests here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc?WT.mc_id=AZ-MVP-5003203
I got same behavior with them.
Thank you.
There is no introspection endpoint listed in https://login.microsoftonline.com/common/.well-known/openid-configuration
This authorization-server obviously supports JWTs only. To validate access-tokens, you'll have to configure a JWT decoder/validator in your Java app.
With Spring, this is done by configuring a JWT resource-server. Sample in this article. Skip the part about Keycloak and use
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/common in properties
not sure this authorization-server provides with user roles or groups or whatever claim to map spring authorities from (try to submit an access-token to https://jwt.io to see if you have a claim like that)
I am writing an .Net Core application with Angular Frontend.
Now users are authenticated with Azure Active Directory, which is configured over the Azure Portal.
The users are succesfully authenticated, but as a developer, I still do not now, which user has authenticated.
There are lots of exmaples how to retrieve the information about the user, which is done with
https://graph.microsoft.com/v1.0/me. But when I call this, I am getting an 401 Unauthorized response. So there must be a way to get a Token or something like that.
I am having an client-ID, tenant-ID as well as an AppServiceAuthSession Cookie. Can anyone provide an code example?
For your requirement, you can go to Resource Explorer find your app and then locate "config" --> "authsettings". Edit the additionalLoginParams in json as:
"additionalLoginParams": [
"response_type=code id_token",
"resource=<the client id of your app in azure ad>"
],
Apart from this, you also need to edit the redirect uri of your app like:
https://yourapp.azurewebsites.net/.auth/login/aad/callback
After that, you can get the access token by request https://yourapp.azurewebsites.net/.auth/me. You can use the access token to request graph api https://graph.microsoft.com/v1.0/me. By the way, maybe there are some information in the response of https://yourapp.azurewebsites.net/.auth/me. If the information is enough, you do not need to use access token request the graph api.
You are getting 401 Unauthorized response as you don't have right token to access the API https://graph.microsoft.com/v1.0/me. The right approach is to use MSAL libraries to get token for your application(by authenticating) and use it for API.
Please find step-by-step tutorial using .Net core here and code sample here.
Please find step-by-step tutorial using Angular here and code sample here.
The solution was to add an secret to the application and then call https://xyz.azurewebsites.net/.auth/me.
I'm implementing Auth0 with my ASP.NET Core 2.1 app with React front end.
After the user authenticates, I do get both an access_token and an id_token. I'm clear that I send the access_token in the header to gain access to my API methods but I'm not sure how to handle the id_token.
Do I place the id_token in the header as well? If so, what key do I use for it? I'm sending the access_token with the key Authorization -- see below.
Not sure how to send the id_token and would appreciate some pointers on this. Thanks.
You would use id_token to construct the User object in SPA application and access_token is used to access the API. So, you don't put the id_token in the header.
There is a JavaScript library for Auth0 that can help with authentication/authorization tasks: Auth0.js.
The library may help with constructing the user object and refreshing the access token.
I'm working on a SPA application, and I'm using the recommended implicit flow and I'm able to get access_token and id_token. As I need more than the profile info, I've created a separate endpoint to return the user profile information (along with all the other information that's specific to our business) and this endpoint is protected, and can be accessed only with an access_token as the bearer token. Right after getting access_token in SPA, I call this endpoint to get all the user information (which includes first name, last name etc., that gets displayed on the UI). If there is any problem with the returned id_token and access_token pair, the user profile info endpoint call would fail. So, do I really need to validate the id_token? as I'm not relying on any information within that token.
For authenticating against external login provider or authorization code flow, validating the id_token makes sense, but in my case I'm not sure about it.
According to OpenID spec:
When using the Implicit Flow, the contents of the ID Token MUST be validated in the same manner as for the Authorization Code Flow, as defined in Section 3.1.3.7, with the exception of the differences specified in this section.
1. The Client MUST validate the signature of the ID Token according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header.
2. The value of the nonce Claim MUST be checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
Why don't you utilise response_type parameter in authorisation request. By changing its value, you can alter what you receive for authorisation response.
Identity documentation mention about possible response type values. Following is an extraction from their documentation,
As you can see, if you do not want SPA to receive the id token, you can set the response_type value to token. If you do so you will only get an access token, which is enforced by OAuth 2.0 specification. (See the OAuth 2.0's implicit flow response_type explanation from here). Note that when you use response_type=token , you are using OAuth 2.0 (not OIDC)
I don't see any wrong in your approach as long as you utilise features enabled by respective protocols.
Can I use REST token as SOAP session ID? If so, is that a correct way of doing it? I have an App which consume SOAP and want to give an option to OAuth login to avoid user entering credentials to the App.
Thanks a lot.
You can take the access token resulting from your OAuth flow and use it in the same place that you'd use a sessionId in the SOAP API (i.e. you'd send it in the SessionHeader header in your soap requests). Remember that you'll need to include API scope when you start the OAuth flow.