I have an Java backend app uses Azure Active Directory. I am using oauth2 bearer token to login. On backend side I am searching and using oauth2 attribute "preferred_username" and it works. However when I send login request from postman/insomnia there is oauth v1 token and there are oauth v1 attributes like instead of "preferred_username" there is "unique_name" but "ver" attribute is 1.0.
The token type seems oauth2
What causes this?
Please check the URLs you are currently using to send login request via Postman.
To get v2.0 OAuth2 token, you need to use v2.0 endpoints:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Overview -> Endpoints
In addition to that, ensure to modify Manifest file by changing accessTokenAcceptedVersion value to 2. By default, it will be null for single tenant applications.
I tried to reproduce the same in my environment and got below results:
Initially I generated access token with v2.0 endpoints, leaving Manifest file as default like below:
When I decoded the token, I found OAuth2 v1.0 attributes like below:
In order to get v2.0 token, I changed App's Manifest file like below:
I generated the access token via Postman with parameters like below:
POST https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
When I decoded the above token, I got OAuth2 v2.0 attributes successfully like below:
In addition to #Sridevi s answer I realize that I need to add optional claim preferred_username as below from Azure Active Directory > App registrations > My App > Token Configuration.
Related documentation is https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims
Both are fixed my issue.
Related
I want to build a Cloud Run to Cloud Run communication and use this how-to:
https://cloud.google.com/run/docs/authenticating/service-to-service
I generate a id token and add them to the Authorization: Bearer ID_TOKEN header. My problem is, that I also need to send a custom JWT Token in the Authorization header.
Is there a way to pass both token in the Authorization header without a custom header? Or has google cloud the option for a alternative header?
From my application I have to invoke external http service which uses google authentication. It works when I invoke it from browser. I found out that it happens because I have cookie which contains
GCP_IAAP_AUTH_TOKEN_<random_string>
GCP_IAP_UID
So my cookie look like this:
cookie: GCP_IAP_UID=111111111111; GCP_IAAP_AUTH_TOKEN_1234567891234567890B=verylongstringhere"
I tried to set this cookie directly in my restTemplate and it works properly but I expect that I have to get token based on some kind of credentials.
webClient.post()
.uri(uploadUrl)
.header("cookie", "GCP_IAP_UID=12345678901234567890; GCP_IAAP_AUTH_TOKEN_12345678907645456546B=verylongstringhere")
Could you please provide example of correct usage GCP auth ? How to update token? Based on what?
Google APIs use the OAuth 2.0 protocol for authentication and authorization
You can obtain OAuth 2.0 client credentials from the Google API Console. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.
Before your application can access private data using a Google API, it must obtain an access token that grants access to that API.
There are several ways to make this request, and they vary based on the type of application you are building. For example, a JavaScript application might request an access token using a browser redirect to Google, while an application installed on a device that has no browser uses web service requests.
I recommend you to go trough OAuth 2.0 to Access Google APIs article to choose the best method for your application, there are a couple of documented scenarios to explain how GCP uses application authentication
I'm trying to develop a simple java client that needs to access Skype for Business APIs in order to setup an online meeting (i.e. I need to retrieve a simple setup meeting URL by invoking an UCWA API).
I followed this Microsoft tutorial step-by-step:
https://learn.microsoft.com/en-us/skype-sdk/ucwa/developingucwaapplicationsforsfbonline
I have an Office 365 Business Premium license and I configured a custom domain (correctly registered and added at the zone DNS file);
I configured and registered my java client app on Azure (taking care to assign required delegated permission for Skype for Business capabilities);
I performed the Sign-in phase and Azure is able to recognize me;
I performed the Autodiscovery phase in order to retrieve the user's UCWA home pool;
I sent a GET request to the Azure oauth2 endpoint with response 401 error (and this is the expected behaviour by the authentication handshake);
Unfortunately, I failed when I request an access token using implicit grant flow: Azure responds with a Sign-In HTML page rather than the json object containing the oauth2 access token.
What's wrong on this GET request?
GET https://login.microsoftonline.com/oauth2/authorize?
response_type=id_token
&client_id=my_application_client_id
&redirect_uri=configured_redirect_uri
&state=UUID_generated_code
&resource=UCWA_home_pool
HTTP/1.1
This GET URL looks like that one used for the Sign-In phase (step 3); I suspect that it isn't the right request URL.
I tryed to put my domain on the URL:
https://login.microsoftonline.com/my_domain_name/oauth2/authorize
and I tryed to put a common domain name (as reported on the documentation):
https://login.microsoftonline.com/common/oauth2/authorize
But Azure still reponds with a Sign-In page (and response code 200 OK).
Can someone help me please?
Please check the oauth2AllowImplicitFlow property in manifest of your application after downloading the latest manifest file. It should be set to true for this to wrok. If it's still false, only then I would expect the redirect to sign-in page as you're seeing.
More detailed steps here -
Configure your app for OAuth implicit grant flow
I set up login in web application with ADFS.
Authorization request looks like:
https://sso.company.net/adfs/oauth2/authorize?response_type=code&client_id=ruleman&resource=urn:ruleman:1&redirect_uri=http://ruleman.net/authorize
ADFS performs authorization and redirects to the app:
http://ruleman.net/authorize?code=aaaaaaaa.bbbbbbbbb.ccccccccc
One knows that the token from code parameter contains claims such as username etc. How to decode the token and extract the claims?
The Postman flow for this - refer Postman : Authorisation Code Grant on Server 2016 - ADFS 4.0.
This code grant is the flow you have described.
As per the other answers:
Use the authorize endpoint
Get the code
Send the code to the token endpoint
Get the JWT
Use jwt.io to examine the JWT.
The flow follows the OAuth 2.0 standard. Please note I am not expert in ADFS, however I know OAuth 2.0 well.
The authorization flow consists of multiple options with different steps. In your case you are using the code profile (specifying response_type=code). The authorization step you did is only first step, there are a few steps to follow
you can search on "OAuth 2.0 with ADFS" e.g. http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html
Authorization request
../authorize?response_type=code&client_id=ruleman
&resource=urn:ruleman:1&redirect_uri=http://ruleman.net/authorize
you will receive an OAuth code (usually not aving any information value, it is only a code)
http://ruleman.net/authorize?code=aaaaaaaa.bbbbbbbbb.ccccccccc
code parameter contains claims such as username etc
This is wrong assumption
Using this code you need to call a token service from backend to receive an access token (e.g. using HttpClient).
POST /adfs/oauth2/token HTTP/1.1
grant_type=authorization_code&client_id=some-uid-or-
other&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2FgetAToken&code=thecode
you will receive an access token. This step ensures you application is really authenticated with the identity provider it knows.
According to the post linked above:
The interesting bit is the itself, it is in fact a JSON Web Token (JWT). That’s to say a signed representation of the user’s identity and other grants.
I am unable to confirm that, but you can try. Usually (with other identity providers) the token is only a token and the client neeeds to call a "user information" service to get any user identity claims, however seems the ADFS gives you some shortcut.
Then you can use any JWT library to decode/validate the jwt token (com.auth0/java-jwt/3.0.1)
com.auth0.jwt.interfaces.DecodedJWT jwt = com.auth0.jwt.JWT.decode(token);
I'm attempting to add OAuth support to an existing Spring webapp to allow people to login with their Google/Facebook/Twitter/etc. accounts. To do this I'm using the 'spring-social' framework, and the 'spring-social-google' library for it. I'm also trying to do this while working within a number of constraints:
The existing webapp does not use spring-security for authentication or for controlling access to resources, it provides its own form-based authentication.
The existing webapp does not track the authenticated user details using the servlet-container's Principal, instead it stores a reference to the authenticated user in the HTTP session.
The existing webapp does not (and cannot) have a Spring DispatcherServlet bound to the webapp root URL (i.e. /).
Accounts in the database are uniquely keyed by e-mail, so really all I'm attempting to do is glue together a flow that goes roughly like:
Login Page (user chooses between OAuth and direct login)
-> <Provider OAuth Flow> (user completes OAuth authorization)
-> OAuth Callback URL (grab user email, check for existing account, create if needed)
-> Post-login Landing Page (done)
Anyhow, the limitations noted above caused a variety of problems, most of which I've managed to find workarounds for. However I'm getting some bizarre behavior from the Google OAuth connector (Twitter and Facebook appear to work correctly). Basically, it appears that it is not sending the OAuth clientId or clientSecret during the final request to Google:
DEBUG: org.springframework.web.client.RestTemplate - Writing [
{code=[4/dVVrFDpNLDGTmXCuuQj6fcfaetEU.UkLPQd7NOLYbgrKXntQAax0INYiydQI],
redirect_uri=[http://localhost:8080/oauth/signin/google],
grant_type=[authorization_code]}] as "application/x-www-form-urlencoded"
This returns a code 400 ("bad request").
If I head over to hurl.it and POST the same data to the same URL (https://accounts.google.com/o/oauth2/token) and manually add in the client_id and client_secret values, the call returns a successful response.
So what could be causing the Google connector to omit these values?
For reference, I'm including the spring-social-google library in my project like:
<dependency>
<groupId>org.springframework.social</groupId>
<artifactId>spring-social-google</artifactId>
<version>1.0.0.M1</version>
</dependency>
...and then in my #Configuration class I've got:
#Bean
#Scope(value="singleton", proxyMode=ScopedProxyMode.INTERFACES)
public ConnectionFactoryLocator connectionFactoryLocator() {
ConnectionFactoryRegistry registry = new ConnectionFactoryRegistry();
registry.addConnectionFactory(
new GoogleConnectionFactory(
"<google client id>",
"<google secret key>"));
registry.addConnectionFactory(
new FacebookConnectionFactory(
"<facebook client id>",
"<facebook secret key>"));
registry.addConnectionFactory(
new TwitterConnectionFactory(
"<twitter client id>",
"<twitter secret key>"));
return registry;
}
The rest of what I'm using is pretty much standard straight out of the spring-social-showcase example (albeit hacked up to remove extraneous things and to work within the constraints noted above). Strangely, attempting to log in with Google does correctly show the OAuth authorization page on Google with my app/project name correctly displayed. The error happens after I hit the "Allow" button to authorize the OAuth login and return to the webapp.
Anyhow, what might be causing this issue, and how might it be fixed?
You may not have turned the google+ api on in the google developer console.
This is a separate task from getting an OAuth 2 token or api key.
If you have not done so already
http://console.developers.google.com
Navigate to your project.
Click 'APIs'.
Check 'Google+ API' is in the list of Enabled API's. If it is not, browse for it and enable it.