I am calling below API to get bearer access token.
POST https://idcs-xxxx.identity.c9dev2.oc9qadev.com/oauth2/v1/token
Once the token is retrieved i will use the same token in below APIs. These APIs are part of single transaction. But every time I call these APIs,I have to pass the token for authorization. I dont want to generate token again and again because It is valid for 60 min. How can I check whether token is expired or not. .If it is expired then only I want to generate again, else i want to use the existing one. I am not using any framework to call the APIs in java.I am using HttpUrlConnection.
GET https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills
GET https://idcs-xxxx-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills/dynamicEntities
POST https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/v2/yyy
PATCH https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx
PUT https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/DONE
Possible concept: Write a Helper class to do the API request (e.g. MyAPIClient.class). Most APIs will return a 401 HTTP error when the token is expired. Check this behaviour for this specific api. If this is the case, get a new token within this helper class and repeat the request with the new token. Cache this token for 60min after you got it (different Java Frameworks have different kind of Cache providers you can use for this). Use the helper class everywhere you want to access the api
Related
After I successfully run the request to http://IP:port/oauth/ token to get the authorization token from oauth using spring framework, the response body looks something like this:
{
access_token = jsjxjdnjf .... some_acces_token,
token_type: bearer,
(....) more fields
}
The client to acces this endpoint is a simple Java app using org.springframework.web.client.RestTeplate
My question is:
Is there a predefined class that allows me to encapsulate(map) that information and access it through getters?
Or I have to implement it myself, which would look like this:
public class OauthTokeWrapper {
private String access_token;
(...)//getters,constructors...
}
It is not recommended to read access tokens in the OAuth Client, which should just treat the token as an opaque string to be sent to APIs. Access tokens are not always JWT format and reading tokens in the client could lead to future problems.
Instead it is typical to work with the API claims in a back end API. One option for doing this is via the Nimbus libraries. Here is some example API code of mine in case useful.
In my server application, I want to consume some third party API using a MicroProfile REST client. To do so, I need to send an Authorization Header with a bearer token.
I don't want to always get a token before I make any call so I need a mechanism to only retrieve a new token if there is no token yet or if the token expired. The token could then be stored and used in each call until it expires. The next call to the API which would cause a HTTP 401 Unauthorized shall then cause a new token to be obtained.
Unfortunately so far I wasn't able to find any resources on how to consume OAuth secured APIs using the MicroProfile REST client. I hope anybody can give me any tips. I'm using Kotlin and Quarkus but Java related documentation would be fine as well. Anything helps.
Here is my rather simple client:
#RegisterRestClient
#Produces(MediaType.APPLICATION_JSON)
interface SomeThirdPartyApiClient {
#POST
#Path("/some/random/url")
fun someRandomUrl(body: SomeJsonRequestObject, #HeaderParam("Authorization") bearer: String): SomeJsonResponseObject
}
As discussed with iabughosh, there seems to be no automatic way of doing what I want to do. Instead I have written the code myself as suggested by iabughosh. I went with the route of catching errors in the call. If the error has a 401 status, then I retrieve a new token and retry the call.
When the application starts and has no token yet, the first call always causes a 401 and then I get the first token. The next 401 appears only when the token expires (or was removed by a server admin prematurely) so then I simply get the token and do the call again.
As for now this seems to work just fine. I'll have to see how it turns out in production when there are a lot of (parallel) calls. If I find a better solution, I'll try to remember this question and update it accordingly.
There isn't any way to pass it at annotation level, through eclipse microprofile configuration, the only way to pass a dynamic token is by adding
#HeadParameter("Authorization") authString
in your rest call, in case you are using jwt, usually you can inject the JsonWebToken and do all the checks with this object, so you wouldn't need that parameter, however, you can add it and just ignore, than in your rest client method declaration you have to add it too (as I seen your case you did it already, just assure the order of parameters is the same), and the restclient will be able to pass the token though the header (you need to pass "Bearer "+tokenString), but you need to access to the code of your rest service.
We're using spring security (Authorisation and Resource server ) in our project.
client sends a token request (/oauth/token) with the oauth2 parameters.
spring security app creates a token for the user and respond to the client with the access_token, refresh_token, custom user object (name, organisation, email etc) and authorities (Roles).
Client adds additional roles (say ROLE_CLIENT, ROLE_USER).
spring application will store the above roles for the given user.
Next time when client sends a token request, spring security returns the previously created token (not expired yet) along with the user and authority information. This authority information is not having the latest roles (added in step4).
Here spring security always using the existing token (as it is not expired) and returning the valid token. Is this the expected behaviour even though the user object is being modified?
It sounds like you need to revoke the access token when the users roles change if you want the next request to get a new access token with the new roles and not return an existing token with existing roles if it's still valid.
At the point where you update the users roles you'd likely want to revoke the token.
I haven't personally tested this but I found a guide for it here https://www.baeldung.com/spring-security-oauth-revoke-tokens so your milage may vary.
I want to add that this does not sound like the normal OAuth2 process and you may be breaking a few conventions here which might bite you later. That said, you don't have to follow a standard if you're confident in your proposed solution.
Edit: To clarify the users roles and access is normally part of a resource and not part of the token exchange. For example you have a normal OAuth2 request which generates a token which you can exchange for an access token, as you've laid out in steps 1 and 2. Then you'd normally take that access token and request user access information from a resource such as "userinfo" service or something similar.
Your security service can also be a resource server but the two steps should be seen as different. Then when you want to modify the users roles you do this again through a resource. This means the next time you invoke the resource it'll have the up to date information without needing to authenticate the user again.
How to refresh JWT token using Docusign Java SDK? Should I call:
apiClient.configureJWTAuthorizationFlow()
each time as it is done in samples (in JUnit Test)? But the method name sounds like it configures a flow.
Is there any specific api to refresh the token?
The JWT flow does not include a refresh token. So, to create a new Access Token, just re-do the JWT Flow.
The Java example for JWT demonstrates a checkToken method which monitors the age of the token and creates a new one as needed.
We will be renaming the method in the near future. It will also only need the private key (as a string) then.
I'm trying to access the HttpSession object (or similar API that let me fetch session attributes) from inside of a Google Cloud Endpoints backend method...
Reading this answer I've learn that I can inject a HttpRequest object as a parameter.
What I'm trying to do is retrieve a facebook access token previously stored by a Servlet.
Within the Development Web Server I can retrieve the HttpSession and get the desired attribute:
#ApiMethod
public MyResponse getResponse(HttpServletRequest req) {
String accessToken = (String) req.getSession().getAttribute("accessToken");
}
But, once I deploy my application to GAE, the retrieved access token is always null.
So is there a way to recover session attributes from inside api methods?
And if there isn't, how can I retrieve my access token from someplace else? Answers and comments in the mentioned question suggests the use of the data store, but I really can't think of a good natural candidate for a key... As far as GAE authentication mechanism is concerned my users aren't even logged in, I don't know how to retrieve the access_token of the current user from the Datastore / memcached or any other mechanism.
I've filed a feature request to support sessions in production, as I can confirm it's not working right now.
For now, I recommend you continue passing the access token on subsequent requests in a header. Header information is similarly available through the injected HttpServletRequest.