OK so I have an account using SSO credentials and the data within this SaaS app is available via a REST api using OAUTH2 but the API is not SSO friendly or enabled so how do I (if possible) access the data via the API but the only credentials I have are managed by the SSO., I do have my api key and secret and I can generate my access token in python from another non sso account but the sso account even tho I have the username and password I cannot get anything but a 401.. any help?
I might add , I am just an end user and have ZERO access to the actual API or data set but I can create and edit users and access on the SaaS app I cannot however change anything with the SSO or AD
I have tried using username#domain.com/token , I have also tried org\username and password, I have tried requesting different access-types from the OAUTH2 endpoint and the only recognized type is password. And I have tried every combination of the above trying to get the data from the API
If you are trying to access the third party REST API via OAuth2 then you'll need to check with the third party team if you are authorized to access that API, they may have to provide some additional permission to allow the access. If you are getting 401 then you don't have the correct credentials, please verify.
Related
My I am trying to deploy azure AD to my application because I want to expose some of my APIs to users but I need to make sure only people that are authorized can use the resource.
I have never worked with azure AD before and I am a little lost in all the documentation.
What I need is to be able to recover a token on behalf of the user in order to authenticate them. The application does not have any webpages and I do not want to introduce any. I want to be able to grab the token, authenticate the user, and then release the resource. I expect that the endpoint will be accessed through python, java or postman.
Example of basic flow:
call security function/api in app
validate user cred (or any other type of validation)
return token if authenticated
validate token and return response
5.authentication allows user to call apis
I have just explored the authorization code pattern that azure AD offers but this requires an interactive step from what I was able to test so its no good.
I would like to be able to do something like the example flow
In case my question hasn't clued you in I am very new to this so any help is appreciated
Thanks in advance
I agree with #Gopal you can make use of client credentials flow that does not require user interaction to call an API.
You just need to enter Azure AD client application’s ID, Secret, scope to generate the access token and use that access token to call the API via Postman or in your code.
I created one Asp.net core API in VS studio and used Azure Ad authentication to call the API.
I tried accessing this API via Postman App with different flows that you can try :-
Client Credentials flow:-
GET https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Results :-
API can be accessed by the Access token generated by the client app with its secret and scope.
Alternatively, you can make use of Implicit flow which will ask for user credentials via browser.
Implicit flow :-
Here, Your log in page pops up while asking for access token and you need to enter user credentials to get access token and fetch API.
Get the token and hit the token to fetch the API like below :-
Browser Pop up:-
Access Token:-
Now, copy our API URL from browser and try to access the API :-
Results :-
You can find the code samples below :-
https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code#web-api
I'm integrating several web sites/services into my application. I use iframes (or webview for Vue Electron) for UI integration and I also use API to implement cross-communication between those services.
At the moment I have to go through OAuth 2 authentication twice for each service: once as part of natural authentication in iframe and another when I ask the user to give me access to this service (for api reasons).
Is there any way to streamline this process?
The state of the art response would be to modify your application completely.
You should have 1 SPA application and not iframe
This application would authenticate to get OAuth2 token
This application would then call the backend (access multiple backend, or access on api management layer that call backends).
Thing is, with this you can have 2 strategies :
give all permission (scope) at 1st authentication
give the smalled scope possible at 1st authentication, then when needed "reauthenticate" (in fact validate new scope) to get new access token
When an API want to call another API, you have also 3 strategies:
you simply use the same client token the API receive to the service your API call (no human interaction needed)
your API generate a token from a service account (using ROPC authentication scheme) or via a client credential scheme (the access token will be valid but usually not be bind to a real user), (no human interaction needed). (the API will be the client of the 2nd API)
your identity provider have an endpoint to transform access token : Your API can give the client access token, and authorization server will transform this with the client_id of your API. You send this token to 2ndAPI ( token will show subject of your UI application, but client ID will be the 1st API clientId) (no human interaction needed)
Now if you use IFrame with multiple sub-application on the same domain (the domain need to be exactly the same!), it is possible to share the same access token for instance via local storage. (security is not top notch)
You will probably need to authenticate with a bigger scope list sometime but it is your only option. You will simulate a single page application, but issue is that you will have potentially different client_id depending first application you authenticate to.
Edit: Multiple authorization server
From your comment, you have multiple authorization server. One strategy could be to ask user to authenticate, your application can then get an access_token and a refresh_token.
Depending on your authorization server, refresh_token can be used a lot / on a long period of time, so that if you store it somewhere, the next time the user visit your application, your application can silently get an access_token from this refresh token. Your application have then access to remove api without newer interaction from your user.
Of course, this means you have to save this token the most safely you can.
By using OpenID Connect you could combine authentication and authorization in a one step and get both an id_token to logon your user to your app as well as an access_token to access APIs in a single authentication response.
I am currently being tasked with writing an RESTful API that we are going to release to our clients. I plan to use Web API 2 with OWIN middleware. The applications that will be accessing this can range anywhere from a Console app with no additional user authentication to full blow web applications that will involve user login and authentication.
One other requirement is that we need not only provide user authentication to control what data we will return, we also need to authenticate that the application accessing our API is allowed by our organization. So this requires us to not only validate the application invoking our API's but also the many users logging in via that application.
The goal is to use a bearer token technology like OAuth 2. I am not very familiar with OAuth 2 but after looking it over I don't see a way to facilitate a two part authentication like this. Ideally we would like to issue a clientId and a clientPassword and they would pass this in along with the userid and userpassword and we would then pass a token back.
Is this something that anyone has tackled before using OAuth2 or is this a job for a custom auth solution?
What you describe sounds like fairly standard Oauth2.0 scenarios so you shouldn't need anything custom.
For the web apps you could use the Resource Owners Password Credentials Grant. Which is a standard flow.
This allows your Oauth client to pass in its client Id and client secret along with a user's Id and password to your Auth Server which can then validate both the user and the client before issuing a token in response.
But I would recommend using the Authorization Code Grant which is probably the best option for web applications and it involves both the client and the user being effectively authenticated.
For you console apps, or any apps which are not user specific, you can use the Client Credentials Grant. This allows the app to authenticate and to get a token without a user.
If you need your API to be aware of the client application, the only flow you can't really use is the Implicit Grant which doesn't authenticate the client.
I have an application with users/password (not developed by us) that calls a web service to inform us when a new user is created. This web service should enable us to create automatically a user through the google Directory API service to create an account on the Google Apps For Education.
How can I do that without using OAuth but using only login/password for the admin user of the Google Apps account ?
I know to update CSV file to create/update accounts in Google Apps but would need to create the accounts on Google without doing manual upload and batch.
Thanks for your answer.
The old ClientLogin authentication method for Google APIs is deprecated and is not supported by the Admin SDK Directory API.
You should use OAuth 2.0. Once you have the OAuth 2.0 refresh token for your script, you don't need to reauthenticate the user each time, just grab a new access token if the current one expires.
You may also be able to take advantage of existing applications that already perform the OAuth work for you like GAM.
I just did this exact same thing in a GAfE domain. I needed to create 60,000 accounts quickly, and have them placed in specific organizational units (schools). I'm now putting together a series on how to make sense out of Google Apps for Education using the API explorer and OAuth 2.0.
Basically, you'll need to forget passing user/pass credentials using the API. You'll need to create an OAuth 2.0 ID (web application), and enter a redirect URI (the callback page that will process the request after authorization has been granted). At this point, you'll need to compile a URL string with the following information:
Base URL for the authorization request
data scope
client ID
response type
redirect URI
See the example below:
https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/admin.directory.user&client_id=your_client_ID_copied_and_pasted_from_the_API_console&response_type=code&redirect_uri=https://www.example.com/callback.php
Once authorization has been granted, you'll be passed a code in the URL that you'll need to exchange for an ACCESS TOKEN using a POST request to https:// accounts.google.com/o/oauth2/token. The response will include the access token that you can then use in your POST request to the directory.users.insert API.
I want to authenticate an admin using OAuth2 and access data for accounts that are under this admin.
Primarily something like this, I have an organisation : A --> B, C, D where A is the admin.
If i authenticate A can i access data from B,C,D.
We were able to do this in OAuth1.0 and appending email ids in request URL's.
How do we achieve it in OAuth2.0 ?
(assuming your users are under a Google Apps domain)
This can be achieved in OAuth 2.0 using service accounts. You need to:
Create a service accounts and download private key.
Delegate domain-wide authority to your service account (see the link below for instructions).
Use a signed assertion requesting access to the users data to receive an access token for use in subsequent API calls.
See here for an example using Google Drive API:
https://developers.google.com/drive/delegation
See also the "Additional Claims" section here:
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#jwtcontents