According to OIDC specs when an authentication request contains the max_age field
the ID Token returned MUST include an auth_time Claim Value
Starting January 28, we don't see the auth_time field returned in the ID Token returned from the google auth api.
Did anything changed on the Google side as far as honoring that flag is concerned?
Thank you!
Related
An integration for the app I'm working on requires that a user be logged in via a redirect. So the plan is to have a single use token as url param, then once they get redirected and the token is verified I will create a session for them with cookies. Unfortunately putting the token in the headers is not an option here. I was thinking of ways to accomplish this without having to make a new table for either whitelisting or blacklisting tokens, and came up with this:
Create a token who's payload includes an expiration time, the users id, and the users last sign in datetime. Then encode that token with a secret.
Then to validate the token after the redirect, it first gets decoded using the secret. Then the expiration time is checked. Lastly, I get the user's last sign in datetime from the database, and check that it matches the one in the token payload. If all checks pass, then the user is signed in, and a session cookie is set for them.
Mainly I'm looking for feedback about security. Thanks!
I'm working on building a powershell script to update user's profiles in Yammer. I need to be able to update users' subscriptions (followers) in their yammer profile and in order to do that, I need to get an auth token for that user (impersonation). According to Yammer's api documentation (https://developer.yammer.com/docs/impersonation), I need to be a verified admin (I am). I've registered my app with Yammer, I have a bearer token for my app which I'm passing in the auth header, and I'm passing in the consumer key and user_id for whom I want to impersonate in the api request query string. The api is responding with a 400 - Bad Request. The error message states that the request cannot be fulfilled due to bad syntax. I'm testing this using Postman. I am sending a GET request to the API as shown below. Obviously, I have actual values for the userId and consumerKey values. Does anything appear incorrect with this query and/or does anyone have any experience with this api that could possibly share some insight?
https://www.yammer.com/api/v1/oauth/tokens.json?user_id=userId&consumer_key=consumerKey
I am currently implementing a feature that you have the ability to save a song displayed on my iOS application (written with Swift) and this save button allows the song to be appended to the user's Spotify library. According to the Spotify Developer guide, the only scope required for this feature is user-library-modify when authorizing the app with the user. The url to be opened goes like this:
https://accounts.spotify.com/authorize/?client_id=my_client_id&response_type=code&scope=user-library-modify&redirect_uri=http://my_redirect_uri
This all works perfectly - the url is opened for the user to approve of the changes my app can make and the callback url with the required code is in the url is opened.
The next step in performing the required function is to get an exact token in order to use the api, which is done by calling the url:
https://accounts.spotify.com/api/token?grant_type=client_credentials&client_id=my_client_id&client_secret=my_client_secret&response_type=code&redirect_uri=http://my_redirect_uri&code=the_code_I_just_retrieved
With this url, a json file is returned with the new token and info with it, BUT when looking at the permitted scopes the token has, it is empty:
["scope": , "token_type": Bearer, "access_token": the_token_string, "expires_in": 3600]
Also, when I still try to perform the request it returns:
["error": {
message = "Insufficient client scope";
status = 403;
}]
In this lengthy process, what am I doing wrong? In case you are wondering, here are a few things I have tried without success:
1) Re-listing the scopes in the explicit token request
2)Adding utf-8 encoding to the redirect uri (not sure if this changes anything)
3)Adding many other scopes (although this clearly does not target the problem)
If anyone knows what I am doing wrong or has any suggestions as to what I should try, I am grateful for any helpful response!
I have found my mistake. The grant_type I have entered in my url set to client_credentials. However, this method of accessing the web API only permits the usage of publicly available data, not user info. Therefore, this method of authorization does not accept the parameter scope, forcing the spotify account service to ingnore this additional parameter. The other options DO allow accessing the user data, which are:
authorization_code, and refresh_token
The way this now has to be done is to:
1) Authorize the user regularly (with supplying the scopes) to retrieve the initial authorization code
2) Then, with this code, make the token request, but specifying the grant_type to be set as authorization_code
3) You have then received a valid access_token valid for one hour AND a refresh_token
4) Use the access_token when necessary and when this token expires, make another token request, but this time with the grant_type set as refresh_token and setting the code parameter to the previously gained refresh_token
5) You now have the next access_token and refresh_token
6) Repeat steps 4-5 until infinity
I managed to login with google plus, but after authenticating, I'm not sure which of the values is the unique value to authenticate the user.
After authenticating, I see a response with fields like:
access_token, code, id_token, but I'm not sure which to use?
access_token: you use this to make API calls as the user who has just signed in - e.g. to retrieve profile information. This is valid for 1 hour.
id_token: this is a special signed blob which contains the user id of the signed in user, and the client ID of you application, can be used to identify the user. This is valid for one hour also.
code: you can send this to a server to exchange for an access token (to allow the server to make calls). This is valid for a few minutes.
In general you will use the access token to retrieve the user's name and photo as a next step: https://developers.google.com/+/web/people/#retrieve_profile_information
The specification here
http://msdn.microsoft.com/en-us/library/windowsazure/jj710106.aspx
states that the response body contains the "original authentication token". However, even in the example it is different from the one originally sent to the server. What is the difference between these different tokens, why are they called the same and how should they be used?
The documentation is incorrect. The token sent to the service is a Live SDK token; the token returned by the service is an Azure Mobile Services token. It currently wraps the given token, adding more information specific to the mobile service, but that's an implementation detail which can change in the future (in other words, you should always treat the token returned by the call as an opaque blob of data) - as long as you keep passing that token along in subsequent calls, those calls will consider to be authenticated.
I'll pass this information along to the team to have them fix the documentation, thanks for pointing it out.