is it possible to access original token in ADFS 2.0?
i mean, if the SAML token comes as the input to the ADFS i want to add this complete token in the transformation rule to the claim for the output.
thanks
Why do you want to do this?
Normally, the SAML token is sent from ADFS to the RP. The RP can get at the token by using BootstrapToken.
The token is only an ADFS input for federation.
Related
I try to create a postman collection for my backend service which uses Azure B2C Authentication.
Within my Collection I added Authentication, which works and I can authenticate within my Chrome Browser:
Once I am authenticated and redirected back to Postman it says that an access_token can not be found. I can see that it is in id_token:
Now I created also a Request with Authentication Type oAuth 2.0 where I could select Available Token. But as the token is not within access_token it does not autofill the token. Is there any way to tell Postman that i want to use id_token as access_token within my requests in the collection?
Thanks for your help and feedback
As you saved your token with the name as Azure AD B2C Authentication, for your requests, you can select the Azure AD B2C Authentication from your available tokens.
This will auto-fill the token
I created the token with name as access token
Now for my request, I selected the access token from the available tokens under Access Token
Then the token is auto-filled as below
In this way, you can use the Access Token in collections in postman
I want to authorize(OAuth2) the Salesforce API from a service, using client_id, client_secret and redirect URL. I DO NOT want to keep username and password in my system. Can somebody please help?
You need to implement an OAuth flow, such as the Web Server flow or JWT bearer flow, both of which will allow you to obtain new access tokens for the lifespan of your integration without storing raw user credentials. Note that you will still need a user account under which to authenticate.
I am trying to understand the difference between user token and app token.I have lot of confusion between the two. For now I have a piece of code which tries to access cross team api and my code tries to access it by providing client id and my authentication credentials. I get bearer token. Is bearer token an app token? User token is one where user signs in using his credentials. Can anyone explain the difference between the user token and app token in general?
User token and app token are not OAuth2 terms. But in general, a user token is a token that was issued because the user authenticated and the app acts on the users' behalf.
An app token is issued when the app gets a token on its own behalf using client credentials. I described the OAuth2 flows in this answer.
A bearer token just means that you only need that token to access an API as opposed to needing a cryptographic key to prove you can use the token.
I have got a React application and also a backend API server which are hosted separately. I use cognito for authentication. When the user signs in, I receive 3 tokens - id token, access token and refresh token.
I have read that id token is used for authentication while access token is used for authorisation.
I am a bit confused which token (id token or access token) should I use when making API requests to the API server.
You should use the access token. It is for authorization. When you check if a user has rights to access resource it is authorization.
Authentication checks the user identity, so it gives you answer to the question - Is this really that user?
These terms should sink in, so read it here once more:
Authentication versus Authorization
Can someone tell me how to send jwt authentication token for every rest request send from asp.net core to the web APi,
Does there is need to create a secret key to sign the token signature?
Can we just send the token without signing the token.
This is very broad question.
Short answers:
Tokens are usually sent in cookies. Certain solutions also store tokens in browser localstorage or sessionstorage and then add the token in every request header
Yes, signing the token is mandatory. Otherwise, the server won't have a way to determine if the token has been tampered by an attacker or client. Signing is required for security
But there are much more to it. Refer to the following for details:
https://stackoverflow.com/a/54258744/1235935
https://stackoverflow.com/a/54011649/1235935
https://www.rfc-editor.org/rfc/rfc7519
https://www.rfc-editor.org/rfc/rfc6749