we achieved the below points with Auth0.
We are able to get Management API token with client_id, client_secret, audience & "grant_type":"client_credentials"
We are able to create user/get userinfo with this token.
we are able to get access_token & id_token by "grant_type":"password", with Username & Password.
Till here we are good.
Now Question is, we have our own API which is hosted in AWS, Now we need to Authorize that API with id_token (Considering user-specific Token)
I am able to Authorize with a Management API token, but that is static for all users, I need to authorize my API with a User-Based token when I can also get some claims values, etc.
Thanks.
Related
I try to create a postman collection for my backend service which uses Azure B2C Authentication.
Within my Collection I added Authentication, which works and I can authenticate within my Chrome Browser:
Once I am authenticated and redirected back to Postman it says that an access_token can not be found. I can see that it is in id_token:
Now I created also a Request with Authentication Type oAuth 2.0 where I could select Available Token. But as the token is not within access_token it does not autofill the token. Is there any way to tell Postman that i want to use id_token as access_token within my requests in the collection?
Thanks for your help and feedback
As you saved your token with the name as Azure AD B2C Authentication, for your requests, you can select the Azure AD B2C Authentication from your available tokens.
This will auto-fill the token
I created the token with name as access token
Now for my request, I selected the access token from the available tokens under Access Token
Then the token is auto-filled as below
In this way, you can use the Access Token in collections in postman
I want to authorize(OAuth2) the Salesforce API from a service, using client_id, client_secret and redirect URL. I DO NOT want to keep username and password in my system. Can somebody please help?
You need to implement an OAuth flow, such as the Web Server flow or JWT bearer flow, both of which will allow you to obtain new access tokens for the lifespan of your integration without storing raw user credentials. Note that you will still need a user account under which to authenticate.
I have got a React application and also a backend API server which are hosted separately. I use cognito for authentication. When the user signs in, I receive 3 tokens - id token, access token and refresh token.
I have read that id token is used for authentication while access token is used for authorisation.
I am a bit confused which token (id token or access token) should I use when making API requests to the API server.
You should use the access token. It is for authorization. When you check if a user has rights to access resource it is authorization.
Authentication checks the user identity, so it gives you answer to the question - Is this really that user?
These terms should sink in, so read it here once more:
Authentication versus Authorization
I'm using auth0, I have a front end web-app & a backend api.
On the backend api, I want to get the current users email.
Currently, on the web-app, I have a Access_Token and a Id_Token
The Access_Token is what I need to authenticate for the api, but it does not have the user info that I need (email)
The Id_Token can be decrypted to get the users email
Here is the functionality that I want:
If someone hits
GET /friends
My API will only fetch the friends for the currently authenticated user
What is the best way do this?
The options I thought of so far:
Send both the Access_Token and Id_Token to the API, and decrypt the Id_Token for the user data
Send only the Access_Token, then use the Access_Token on the API to request a new Id_Token from auth0
On the web-app, decrypt the Access_Token, add the email to it, then encrypt
I have followed a few guides on adding authentication to my vue application (which has a net core api backend).
https://medium.com/dev-bits/a-guide-for-adding-jwt-token-based-authentication-to-your-single-page-nodejs-applications-c403f7cf04f4
and
http://jasonwatmore.com/post/2018/08/14/aspnet-core-21-jwt-authentication-tutorial-with-example-api
I'm a junior programmer with authentication so forgive me if my questions seem dumb.
These involve sending a username and password to my api login method and getting back a jwt token (is this an id_token or an access token?). I then send this token with every api request using the Bearer authorization. Some guides (eg microsoft net core docs) have this jwt token include role information.
Is this just a basic form of jwt authentication. Some things i have read about token authentication indicate that when i login i should get an id token which i then exchange for an api access token. These tutorials don't appear to do that - it looks like there is only one token and that it's used for api access and authentication.
Ideally i would like to implement oidc into my vue application but the many guides out there dont seem to address this.
The tutorials are talking about the JWT token based authentication , it will issue a JWT token to declare a user and their access permissions in the application.
When a user tries to log in to the application with their username and password, the server/api side will authenticate the user ,generate the token and send token back to client . Next time client could use token to access the server/API which eliminates the need for the app or system to remember or store the user’s credentials. You can involve user's basic profile information(not sensitive) and some custom claim in that token such as claim related to roles . Both client side and server side should check the specific role if you want to check the authorize part .
Id_token was added to the OIDC specification(OpenID Connect) as an optimization so the application can know the identity of the user, without having to make an additional network requests. It contains user profile information (like the user's name, email, and so forth) , and So if you are using OpenID Connect (Implicit Flow is suitable for SPA) to do the authentication and authorization , you will get id token which identity of the user , and access token which could be used to access the protected resource/API .
You are not using OpenID Connect , so no id token is involved in the scenario .