I am working on generating token for agora using appId and certificate. I am able to generate the token. But I want to validate the token, what is the Api calls, I can make, for checking whether my token is valid or not.
Note : I don't want to use any sdk. I just want plain REST APIs calls.
Related
We have Duende server for our UI and users provide their username and password and obtain an access token that is then used by our SPA app to call api's with the access token issued by our identity server.
I'm in a situation where I need to call the same API from a script and was wondering if RestSharp has some capability to obtain an access token if provided certain information (perhaps the users email/password etc that are typically entered into an interactive website) ?
I see that the RestSharp has some OAuth related "authenticators" but the documentation is unclear exactly what they achieve. I also dont see it mentioning anything about an email address and password.
I'm wondering if theres an option that is different than me generating a JWT elsewhere and supplying it directly to restsharp. I'd love if there was a programmatic way to generate the token directly from the IDP.
RestSharp documentation doesn't make it secret about how authenticators work. Both OAuth2 authenticators only add the necessary header or query string using the token you provide, but they don't request the token.
Duende server documentation explains in detail how to get a token based on the password grant (which is using the username and password).
Although the OAuth2 spec is stable, each API vendor has its own limitations. For example, Twitter API v2 only supports the client_credentials grant type. Therefore, it's not easy to create a generic OAuth2 client.
Still, it's quite easy to amend the Twitter authenticator sample from the docs and extend both request and response models to support the Duende server token request endpoint.
Intro
So I have read official docs Authenticating for invocation which is about helping developer testing and I got that working, but this approach requires a SA and a generated token. It seems the docs mix up "authentication" (proving identity) and "authorization" (giving access) which is not making it easier to get the whole picture.
I want to authorize Google Cloud Function with the user's ID token generated from Identity Platform. The official Firebase docs says:
"When a user or device signs in using Firebase Authentication, Firebase creates a corresponding ID token that uniquely identifies them and grants them access to several resources, such as Realtime Database and Cloud Storage. You can re-use that ID token to authenticate the Realtime Database REST API and make requests on behalf of that user."
My setup
I got the following artifacts to test function authorization with user:
A local React app with npm 'firebase' and a login form calling firebase.auth().signInWithEmailAndPassword.
firebase is initialized with config fields apiKey and authDomain.
An Express API deployed to Cloud Functions with default permissions, but I've provided the cloudbuild file with --allow-unauthenticated as an attempt to only focus on authorization.
A local Postman request setup calling the Express API with authorization type=Bearer Token and token set to the ID token received in the React app's onAuthStateChanged from user.getIdToken()
The Postman request responds with 401 Unauthorized. Notice it says Unauthorized, not 403 Forbidden.
Research
When reading up on the topic, I came across the following approaches to solve my problem:
Fetch the user id from the token and push it to a custom backend service which does admin.auth().setCustomUserClaims and then do the function request. GC should then hopefully know about the token's new claims.
Also about claims; generate a new token (based on current ID token?) and set claims.aud to the URL of the function. The ID token I'm using has claims.aud=projectname which I'm not sure what means.
Verify token in function code by using firebase admin. But the authorization of access is still not performed, so this approach seems to miss something.
What is required?
I suppose authentication is ok, Google Cloud should recognize the bearer token (?) but I've also read that there's no built-in functionality for this. Anyway, the authorization part is less clear to me when it comes to function requests on user level.
To summarize:
How should we authorize an ID token from Identity Platform to Google Cloud Functions? Could any of the three above-mentioned approaches be used?
I'm trying to enable multifactor auth in my Flutter project, which is only targeting the web platform. As I understand, the latest version of the FlutterFire SDK does not support MFA. This is why I'm trying to use the Google Identity Platform APIs to add the feature to my app.
I can already acquire a token from the REST API, but when passing it to the signInWithCustomToken() method, I always get this error: 'The custom token format is incorrect...'
Here is how I'm trying to sign a user in:
Use http package to post to https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword
Start MFA by posting to https://identitytoolkit.googleapis.com/v2/accounts/mfaSignIn:start
Get the SMS verification code from the message sent to the user's phone number.
Post to https://cloud.google.com/identity-platform/docs/reference/rest/v2/accounts.mfaSignIn/finalize
with the SMS verification code.
Get the idToken from the response body.
Pass the acquired idToken to the FirebaseAuth.signInWithCustomToken() method.
Looking at this Firebase doc, it appears that the token I get from GIP REST API is formatted differently.
Is there anything I can do so that the Firebase SDK accepts the tokens I get from the Google Identity Platform REST API?
The Firebase signInWithCustomToken() method takes a token generated by the Admin SDK, not a Google Identity token.
Tokens returned by GCIP (Google Cloud Identity Platform) are the same Auth ID tokens used by Firebase. After calling finalizeMfa you have essentially signed into Firebase, and if you begin to use the SDK, you'll see that it works at this point without any conversion.
According to the API doc, after you get an auth code in step 1 you need to redeem it for a token, using the following parameters:
client_id={client_id}&redirect_uri={redirect_uri}&client_secret={client_secret}
&code={code}&grant_type=authorization_code&resource={resource_id}
But where do I get the client_secret value from? This is a native client app that I registered in Azure AD, so it only has a Client ID and a Redirect URI.
For a native client app, you don't need to provide the client_secret value when redeeming the authorization code or refresh token. Only "confidential" clients, aka services, need to provide the client_secret.
I'm using the Google OAuth2 Javascript library to request an access token from users. I want to store the token in a database on the server.
To be able to access that user's data after the token expiration, I also need to store the refresh token. I know how to do that when using a server-side Google OAuth2 library (specify access_type=offline), but I need to be able to do it with the client-side Javascript library and it doesn't work.
You do not want to store the refresh token in the client! That would be akin to storing his username and password.
The Javascript client does not support type=offline, since that would expose the refresh token.
Your choices are :-
Generate and store the refresh token on the server
Have your client simply keep requesting access tokens as it needs them. Set immediate=true so there is no visible interaction with the user