I am currently building an OAuth 2.0 endpoint with authlib.
At the stage of creating a token introspection endpoint, the official documentation suggests a function get_token_user_sub(token) in the method introspect_token(). What is it supposed to return? What is a "sub" in this context?
sub is subject in userinfo, usually it is the user ID.
Related
I'm trying to include "groups" claims in what is returned by Okta after a user authenticates. It returns them when the response_type is 'id_token' but not when response_type is 'code'. For the Authorization Code flow I would expect to get the groups claims from the userinfo endpoint but they're not there.
However I've read that the authorization code flow is more secure than the hybrid flow (id_token) so I'd like to ensure there is not a way to do this?
My webapp is built on ASPNET Core 3 and I've tried the Okta.AspNetCore Nuget package.
One thing that might trip you up is that Okta do return the tokens you ask for, but the OpenIDConnect handler in your client blocks them.
You need to explicitly map those extra claims in your client, using code like:
options.ClaimActions.MapUniqueJsonKey("website", "website");
options.ClaimActions.MapUniqueJsonKey("gender", "gender");
options.ClaimActions.MapUniqueJsonKey("birthdate", "birthdate");
There is also this option you can set:
options.GetClaimsFromUserInfoEndpoint = true;
Do verify using tools like Fiddler the the claims actually is returned or not.
And yes, authorization code flow is what you should aim to use.
/userinfo response should contain all claims (for all flows including authorization code flow) including 'groups' as long as the groups scope is sent in the requests to mint the token.
Could you make sure the user is part of this group and the right scope is passed in the request ?
You can easily add 'groups' claim in access token as well. You can refer to the guide below:
https://developer.okta.com/docs/guides/customize-tokens-groups-claim/overview/
I need help to the follow issue:
Each endpoint of my API is decorated with the "Authorize" attribute, where I indicate the claim or the necessary claims to access the endpoint. However, the same user can have a considerable amount of claims and these claims will be stored in the database. So with every request in my API, I need to intercept this request, identify the user, query the database to see if it has the required claims, and return, providing or denying access to the requested endpoint. Most of the implementations that I saw on the internet, pass the claims in the code itself, in a static way, and that does not meet me.
I tried to implement some custom filters, but I was not successful either.
Could someone help me solve this?
Thanks!
I recomended you to use JWT Authorization.
It's easy to implement and also secure.
In this article you have an example with how to do it. I hope that's help you.
https://code-maze.com/aspnetcore-webapi-best-practices/#jwt
I am trying to update Google sheet values.
"Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential."
I want to do this using API key not outh 2.0
Can anyone have any suggestions.
Not possible. You need to use the OAuth login as indicated here in spreadsheets.values.batchUpdate:
You can see on the authorization part that it uses OAuth scopes, therefore it follows that it uses OAuth not API KEY:
Authorization
Requires one of the following OAuth scopes:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/spreadsheets
I am facing similar type of issue.
Issue Analysis:
Actual issue is missing of scope.
Solution:
Scope can be added by the following ways:
using enabling api
Adding oauth scope list. List is available here: https://developers.google.com/identity/protocols/googlescopes
Adding scope from Code level
Details are available here:
If any scope is missing, first we need to check that related api is enabled or not. If not enabled yet, go first on google console and enable api.
Procedure is available here: https://support.google.com/googleapi/answer/6158841?hl=en
After enabling api, sometimes you will not get your expected scope. If there is any sophisticated scope is required, you need to add those in your scope list. For this, you need to follow the procedure:
i) Go to google console
ii) Select your project
iii) In left sidebar, you will get "Oauth consent screen". Click on that button
iv) You will get "Add scope" button. There is actually 3 is enlisted primarily: email, profile and openID
v) You can add your expected scope here.
In code level, we can also add SCOPES. In code level, I am using singleton list. Which is always using single scope. So when I need another scopes like user profile or user email. I can't reach those. So I changed it and got my expected result.
Previous Code:
private static final List<String> SCOPES = Collections.singletonList(DriveScopes.DRIVE);
After change:
private static final List<String> SCOPES = new ArrayList<>(
Arrays.asList(DriveScopes.DRIVE,
Oauth2Scopes.USERINFO_EMAIL,
Oauth2Scopes.USERINFO_PROFILE,
Oauth2Scopes.PLUS_ME));
Yodlee has a getOAuthAccessToken API call.
When calling getOAuthAccessToken with a valid cobSessionToken and userSessionToken, it returns a response that looks something like this:
{
"token":"985db1c266544028ad0caad43d40460a",
"tokenSecret":"1fd3981c8d00404eb1ff184f2788a5a6",
"tokenLiveTime":3600,
"tokenCreationTime":1382681683679,
"bridgetKeyData":{
"bridgetAppId":10003200
},
"memId":11903865
}
Given that it is documented as part of the Aggregation API, it seems to be implying that I can call the other aggregation API methods using an OAuth token as an alternative to using the cobSessionToken and userSessionToken parameters.
Is this indeed possible? If so, what unit of time is tokenLiveTime is expressed in?
This getOauthToken API is used to invoke the Fastlink application.
Fastlink Application is a Yodlee hosted app, which could be invoked to you website and allows the consumers to search a particular site and do an add account. This safe time and effort of the customers/developers for building a UI for consumers to add an account.
This API is not intended to use as an alternative to cobSessionToken/userSessionToken.
You can find more about the Fastlink here.
The tokenLiveTime is in seconds.
maybe I am not understanding the OAuth flow correctly, but this is what I want to be able to do: I have a service that will issue request to Trello's API, so, in order to perform some of the requests, I need to have a access token.
Is this even possible? I know that you can do this with other services, like Twitter, but I don't know if I can do this against Trello.
I am using NodeJS with a library called oauth to do this, and my flow looks like this: I created a new OAuth object, call getOAuthRequestToken and then I call getOAuthAccessToken in the callback, and is there where I get an 500 error saying that the oauth_verifier is missing.
Here the piece of code I am talking about:
var OAuth = require('oauth').OAuth,
oauth = new OAuth('https://trello.com/1/OAuthGetRequestToken?key=' + config.key,
'https://trello.com/1/OAuthGetAccessToken',
config.key,
config.secret,
'1.0',
null,
'PLAINTEXT');
oauth.getOAuthRequestToken(function(error, oauth_token, oauth_secret, results){
//Here I have some error handling code
oauth.getOAuthAccessToken(oauth_token, oauth_secret,
function(error, oauth_access_token, oauth_access_token_secret, access_results){
//Here I would be storing the access token for later, etc.
}
});
So, obviously, I am not passing the oauth_verifier parameter to the getOAuthAccessToken method (I checked in the code and that function is expecting the verifier as third parameter), but I am not doing it because I do not have it: the results object is empty and I do not know how to get it programmatically.
Another thing to notice is that I am passing the key parameter in the request token url and using plaintext as signature because I just thought that would be the right thing to do (I haven't see any reference in the documentation about what kind of signature to use or if I need to pass the key as a parameter).
Am I doing things really wrong? Am I in the correct track? what am I missing?
As always, thanks in advance! =)
Trello docs don't say much about oAuth.
I'd speculate that the issue would be that Trello is oAuth 2.0 (used by Facebook, Google) and you're using the oAuth 1.0 scheme (used by Twitter, Tumblr).
For what it's worth, the node-oauth library has an oAuth2 implementation in its lib directory you can include via require in node.js.