I want the application token,consumer key and consumer secret for my quickbooks application created using my trial account.But I could get only the client key and client secret.Should it be a paid version else where can I get the keys for my quickbooks application?
Quickbooks stopped supporting OAuth 1.0. Currently, they are supporting OAuth 2.0. That's why you see only client key and client secret.
Refer this - https://developer.intuit.com/hub/blog/2017/08/03/quick-start-quickbooks-online-rest-api-oauth-2-0
Related
Using authorization flow and passing the information to the back-channel for the token request we don't need to save the secret in the app.
Why then does Azure force us to use a public type?
Cannot choose for the app to be a 'web' type as the redirectUri is not allowed to be anything other than 'https://foo' which in our case is 'app://auth'
edit: More information
When adding a platform on Azure AD you currently have the option between
web
spa
ios/macOS
android
mobile and desktop application
All of these are public clients except 'web' which can be confidential as the back-end is able to securely store the secret. My question is why is there a difference between web and for example an android application? The android app will communicate the exact same way a front-end application would. But choosing the android app is the only way I can configure the redirectURL for my application
An SPA being public is understandable, but forcing every mobile app to be public is something I do not understand
MOBILE FLOW
This has some differences to a web client. You are meant to use Authorization Code Flow (PKCE) without a client secret, and sign in via a Chrome Custom Tab. See this Curity tutorial for how that looks. Avoid using a web flow for a mobile client though.
MOBILE CLIENT SECRETS
Routing requests via an API that attaches a client secret is not considered standard since an attacker with your client ID and redirect URI could still trigger a flow on app:/auth.
If mobile client secrets are needed then the recommendation is to ensure a different client secret per device. This can be done using Mobile DCR. I don't think Azure supports this however.
HTTPS REDIRECT URIs
In case you're not aware, Android App Links are needed in order for mobile apps to receive authorization responses on HTTPS redirect URIs. I'm pretty sure Azure will support this, and it is a best practice since an attacker cannot get the response. More about this in a blog post of mine.
An "OAuth client" is the application which talks to the Authorization Server. In your case, you don't have a mobile client, as it's in fact the backend which talks to the authorization server. A mobile client should never be configured as confidential. Azure can't assume that all developers will be as thoughtful as you and don't hard-code the secret in their apps.
As #Gary Archer pointed out you should configure your client as a web confidential client and use HTTPS redirect uris as an Android App Link to go back to your app.
Using authorization flow and passing the information to the back-channel for the token request we don't need to save the secret in the app.
It sounds like you relate to a newer Client-Initiated Backchannel Authentication Flow. Azure does probably not support this flow, yet.
Why then does Azure force us to use a public type?
The confidential client and public client terms stems from OAuth 2.
A confidential client is an application that is able to protect its client secret. E.g. a backend application in e.g. Java, Node.js or similar.
A public client is an application that is not able to protect a secret - or where many unique instances exists. E.g. JavaScript Single Page Applications or Mobile applications - this is places where a Secret could be extracted in any client. It is now common to use a Proof Key for Public Exchange when using a Public Client.
Also see What's the difference between Confidential and Public clients? - OAuth in Five Minutes.
For Azure Active Directory, I created an app registration for my web app to enable SSO/OAuth 2.0 login for end users and to do AD lookups using the AD graph apis.
That requires me to use a client id and client secret and I have the requirement to not store the secret on the system when running inside of Azure VMs.
Is there a way using managed identities to either fetch the application secret or generate a token that can be used with the login.microsoftonline.com OAuth end points?
When you say "Web App" I'm making the assumption you are using something along the lines of an Azure App Service,
If the issue is with storing the client secret locally on the machine, the more secure way is to store the secrets in Azure KeyVault.
This stackoverflow post goes over why KeyVault is secure : Why is Azure Key Vault secure?
And the official docs provide a good overview/quickstart on getting started with Azure Keyvault. https://learn.microsoft.com/en-us/azure/key-vault/quick-create-portal
And this is a tutorial on using KeyVault with an Azure Web App: https://learn.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app
Essentially secrets stay in Azure so that they're never exposed in code or on the development machine. And by using MSI, you won't need to keep track of credentials to access the keyvault. Keeping all important information in Azure.
I'm tried to build a new rich application and i'm having some problems designing the authentication process.
I've only two requirements :
An API needs to be available
An ADFS needs to be used to authentication
My first thoughts was to build the API and to use Angular.js for the frontend. However, I can't see how the authentication should work.
My API needs to be available though scripts. As far as I saw, the ADFS authentication always display t the webpage for the authentication process.
API are usually secured with OAuth2. We used an client id and a client secret to generate a token. But I can't have this behavior with an ADFS.
The only solution I see is to provide two authentications behavior with my application. One with the ADFS for the web access and in the web interface, add a possibility to generate a client id and a client secret associated with an user account that could be used for the API to the headless authentication.
Someone has already faced this kind of scenario?
Thanks a lot!
I assume the 'ADFS needs to be used for authentication' really means 'users should be able to use their Active Directory domain credentials to authenticate'.
If that is the case, you should take a look at Thinktecture IdentityServer. It's an OAuth2 authorization server that you can use with a Active Directory identity provider.
P.S. ADFS 3.0 that comes with Windows 2012R2 only supports the authorization code grant, which is not suitable for JavaScript apps.
CONTEXT
Have created an API using Google Cloud Endpoints (Python) with which numerous low power devices will GET/POST data.
The only communication with the API will be from these custom devices (I own both ends of the communication).
RESEARCH
Looking at authentication, was hoping it would be as simple as using SSL/TLS client certs:
Each remote device will have a client cert signed by a single project CA anyway.
The Google cloud endpoints mandate SSL.
However, only oauth2 appears to be supported; I'm looking for a 'clean' way to implement 'hands off' authentication, ideally utilising the client SSL cert I already have on the client devices.
I have investigated creating 'service' oauth2 accounts, however as I want to protect against a device spoofing another device (one set of credentials for all is not acceptable), I would need to generate a service account for each client device, which would be bulky and horrible to maintain on the API-end.
It seems i'm looming towards needing to add a layer of authentication within my code for each API method, which somewhat defeats the point of utilising the services of Google's cloud endpoints.
QUESTION... Finally
Has anyone had experience in authenticating 'hands off' machine to machine devices at scale against google's cloud endpoint?
Does anyone know of a way of using a client certificate in the Oauth2 authentication process in a way which would be supported by GCE?
Is my only option going to be custom authentication within the API methods based on some crypto data in the POST/GET headers. (or just moving to hosting an API with Apache/NGINX and client-cert auth?)
Regards,
Matt
I wrote you an essay:
Consider that Cloud Endpoints basically exists in the application layer of the OSI model, since it communicates via HTTPS requests (it sends HTTP requests within a TLS session). Whether or not Endpoints uses HTTP or HTTPS is not a developer-configurable option - it must be HTTPS.
It uses HTTPS in that the API server has a TLS cert which is used to authenticate the API server. Inside the secure connection, the RPC params and responses are also secured from eavesdropping. This is the extent to which Endpoints "interacts" with TLS - it uses it to establish the session and send HTTP requests inside this session.
So, already I can tell you that you will not be able to have your TLS client certs (not an often-used feature) used to authenticate API clients automatically by endpoints, in the connection setup phase. TLS client certs simply aren't looked at or requested by the Endpoints API server.
Now, while authentication of the API server itself is guaranteed through the API server's TLS cert, authentication of API clients is done via Client IDs or the Users API, which sits in your code and abstracts over the different auth options App Engine offers at present:
OAuth (2.0)
OpenID
So, in order to auth your client devices in one of these two manners and still take advantage of Cloud Endpoints, you will need to find a way for each device to perform an OAuth flow or OpenID flow, your system having provisioned an identity for the respective auth method at the time of that device's initial deployment.
Google (Apps) Accounts option
This will involve creating a Google account (Google's unified SSO) or a Google Apps account managed by a custom domain for each device, and provisioning these accounts' credentials to each respective device. You can read more about custom domain authentication and App Engine auth configuration in general here.
OpenID option (general doc on OpenID with GAE)
This will involve setting up your own OpenID provider on a GCE instance using an OpenID connect library like pyoidc, so that you can provision accounts yourself, or it could involve registering accounts with a known OpenID provider for each device. The first solution is more robust but more time-consuming (OpenID providers can go down temporarily, or deactivate forever, and then your IOT network is out of luck).
Third option using Client IDs
You can of course generate an "installed application" client ID/secret and distribute these to each device in your network. They can use this to authenticate themselves as network devices (as opposed to an attacker's laptop), and then you trust devices to accurately report their own id as a param with each API call. Depending on how hackable your devices are and how widely you intend to distribute them, this scheme doesn't necessarily prevent devices from spoofing each other's id's, although depending on the id generation scheme, you can make it very difficult (each id being a long sufficiently long hash).
If you go this route and you're really concerned about this, you can provision a client ID for each device, but who knows if you'll hit some kind of undocumented limit on number of client IDs per app, and also this will require you to either do it by hand or write a script that logs into the dev console on a headless browser and does what you need.
Fourth crazy option that actually uses the TLS client certs
If you're really set on using both TLS client certs for auth and Cloud Endpoints for your API, you could try to send the client cert in the request, since TLS is encrypting the request data (unless your attacker has found a way to efficiently solve the inverse discrete logarithm problem, in which case they'll probably be too busy attacking more important targets (no offense) and changing the infosec game forever), and then reading and auth'ing the cert in your endpoints method somehow (third party libs uploaded with your app are probably necessary for this).
Fourth realistic option if you have your heart set on TLS client certs
Switch from App Engine to Compute Engine, where you basically have a VM managed and hosted in the same data-centers. On this box, you can implement any kind of connection protocol on any port you like, so you could have incoming API requests (not Endpoints, notice) TLS-authenticated based on teh connecting device's client certs.
Good luck!
we developed applications with custom STS as identity provider. Now we planning to use thinktecture identity server (Idsrv) as primary and ADFS as secondary to replace our custom STS. I enabled WS-Federation protocol in Idsrv and added Idsrv and ADFS as identity providers. we developed web application that trusts Idsrv. I also used HRD url to show the list of identity providers whenever user access the web application. It works fine for both identity providers.
Flows :
Idsrv provider web app-->HRD-->Idsrv-->HRD--->Web app
ADFS web app-->HRD-->ADFS-->HRD--->Web app
I also specify the home realm in web application to use the identity provider as default without showing HRD. It works good.
I want to develop a wcf service that trusts Idsrv. I want to utilise the wcf service from wpf client. Based on the user's domain, I need to specify the identity provider as default.
How can I specify the identity provider in wpf client?
my requirement is same as
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/198
The HRD concept does not exist in WCF / SOAP. You would need to go to the idp first and then exchange that token with a token from IdSrv.
Unfortunately, we haven't implemented those endpoint in idsrv. There is a PR on github with an implementation, maybe you wanna give that a try.