I want to make a OMS system.
And Using eBay API manage eBay order, I saw in the document, there are two types of authentication authorization mehtod, client credential grant flow and authorization code grant flow, respectively.
What is the different between two authorization method.
In my case, I want to build a system that input the user information to help the user manage their order and shipping, which authentication method should I use?
Thank you very much.
Both.
You should learn how OAuth works.
In 2 words, Oauth with client credentials returns 2 tokens: auth_token and refresh_token.
auth_token lasts for 2 hours only.
Then need to get a new one using refresh_token.
Then with a valid auth_token you call the API you want.
Related
I'm trying to include "groups" claims in what is returned by Okta after a user authenticates. It returns them when the response_type is 'id_token' but not when response_type is 'code'. For the Authorization Code flow I would expect to get the groups claims from the userinfo endpoint but they're not there.
However I've read that the authorization code flow is more secure than the hybrid flow (id_token) so I'd like to ensure there is not a way to do this?
My webapp is built on ASPNET Core 3 and I've tried the Okta.AspNetCore Nuget package.
One thing that might trip you up is that Okta do return the tokens you ask for, but the OpenIDConnect handler in your client blocks them.
You need to explicitly map those extra claims in your client, using code like:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
There is also this option you can set:
options.GetClaimsFromUserInfoEndpoint = true;
Do verify using tools like Fiddler the the claims actually is returned or not.
And yes, authorization code flow is what you should aim to use.
/userinfo response should contain all claims (for all flows including authorization code flow) including 'groups' as long as the groups scope is sent in the requests to mint the token.
Could you make sure the user is part of this group and the right scope is passed in the request ?
You can easily add 'groups' claim in access token as well. You can refer to the guide below:
https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/
I have an http endpoint /update-user-details that is authenticated by a JWT token.
There are two valid users in my system User1 and User2.
How do I restrict User1 from updating User2's details using the /update-user-details endpoint?
You have 3 options:
DIY: implement code yourself that will do it. That's what Chappie Johnson recommends in their response.
Externalize authorization logic: use an authorization framework to do the check for you. The way to externalize really depends on the framework you developed the API in. For instance, you could look into Flask Authorization for Python or Ruby CanCanCan or .NET claims.
Externalize authorization using a standard approach: Attribute-Based Access Control (ABAC) is actually what you are looking for. In ABAC you write policies that state what can and cannot happen. alfa and xacml are the two ways you can write policies. The good thing about this approach is that you can always change the policies without rewriting your API.
In your JWT you should have a claim in the body of the token that contains the user id of the requesting user. Before making an edit, you could check to see that the user_id value in your JWT matches the user_id value that user1 is attempting to edit. If the user_id's do not match, then reject the change.
String userId = getUserIdFromJwt();
if (!userId.equals("some user id")) {
throw new HttpUnauthorizedException("You do not have access to edit" +
"this resource.");
}
You have all the information about the current requesting user in the JWT so you are able to make assertions about the user.
Cognito is a powerful tool yet it's so hard to utilize it .
Trying to implement my business logic I ended up in some dead ends and I need some help.
My client app is an admin panel where a new admin can register providing a company.
Now there are 2 applications (Contests, Reviews) based on these companies .
So from the adminPanel the admin can create events for both apps through 2 different rest apis
The concept is 1 admin is related to 1 or more companies.I have to map that relationship somehow with Cognito .
Because cognito does pretty much well authentication but not authorization.
In every request not only I have to validate the user by the access token but I also have to see if the user is authorized to do the action based on the company.
For example if a user want to create a Contest event for his company.
I will make a request to Contest Api and I have to authorize that the admin is related to this company
Company entities are used from both apis so I have to expose them in a new api called companies.(If any api wants information about companies it should call the get company/{id})
My consideration is that in order to authorize a user in my apis I have to:
1) validate the access_token .
2) communicate with Cognito to get user informations.
3) call companies api to check if user is authorized to execute actions for this campaign.
So I kind of feeling that it becomes too complex and I need 2 services to authenticate and authorize each request(cognito + company api).
Is there any other way to implement cognito authorization logic without having to use a second api ?
P.S I have already check cognito triggers but they don't cover my needs .For example pre token generation trigger can add claims but it will add them in identity_token not access_token .Also my claims has to be an array of company_ids that an admin is related but claims supports strings and numbers only
I'm planning to bring in IdentityServer4 as a security token service to an existing solution. We can authenticate users with username/password pairs which covers majority of use cases we have.
However, we have some scenarios where small number of users are authenticated using a code emailed (embedded in a link, like www.mysite.com/codeusers/{uniquetempcode}) to the user, and given access to a limited section of the site.
Another, even less used scenario is to authenticate user based on their IP.
What is the best way to handle this kind of scenarios with IdentityServer4?
I don't know if this is the best way, but you can use Extension Grants for that:
OAuth 2.0 defines standard grant types for the token endpoint, such as
password, authorization_code and refresh_token. Extension grants are a
way to add support for non-standard token issuance scenarios like
token translation, delegation, or custom credentials.
http://docs.identityserver.io/en/latest/topics/extension_grants.html
I want my user to get authenticated just once and then I will save the required detials for the user, as I want to use the API for the mentions, hot tweets, popular tweets,etc.
Is their any way I can directly access the API functions without using the authentication process of login to twitter again when I want to use this functions.
Any kind of help will be appreciated.
It is already like that. You ask for authentication only for once then store access token of that user. Whenever you send requests to Twitter on behalf of that user, you will pass that token. This is how it is done unless the user revokes your access..