How to refresh JWT token using Docusign Java SDK? Should I call:
apiClient.configureJWTAuthorizationFlow()
each time as it is done in samples (in JUnit Test)? But the method name sounds like it configures a flow.
Is there any specific api to refresh the token?
The JWT flow does not include a refresh token. So, to create a new Access Token, just re-do the JWT Flow.
The Java example for JWT demonstrates a checkToken method which monitors the age of the token and creates a new one as needed.
We will be renaming the method in the near future. It will also only need the private key (as a string) then.
Related
After I successfully run the request to http://IP:port/oauth/ token to get the authorization token from oauth using spring framework, the response body looks something like this:
{
access_token = jsjxjdnjf .... some_acces_token,
token_type: bearer,
(....) more fields
}
The client to acces this endpoint is a simple Java app using org.springframework.web.client.RestTeplate
My question is:
Is there a predefined class that allows me to encapsulate(map) that information and access it through getters?
Or I have to implement it myself, which would look like this:
public class OauthTokeWrapper {
private String access_token;
(...)//getters,constructors...
}
It is not recommended to read access tokens in the OAuth Client, which should just treat the token as an opaque string to be sent to APIs. Access tokens are not always JWT format and reading tokens in the client could lead to future problems.
Instead it is typical to work with the API claims in a back end API. One option for doing this is via the Nimbus libraries. Here is some example API code of mine in case useful.
I am calling below API to get bearer access token.
POST https://idcs-xxxx.identity.c9dev2.oc9qadev.com/oauth2/v1/token
Once the token is retrieved i will use the same token in below APIs. These APIs are part of single transaction. But every time I call these APIs,I have to pass the token for authorization. I dont want to generate token again and again because It is valid for 60 min. How can I check whether token is expired or not. .If it is expired then only I want to generate again, else i want to use the existing one. I am not using any framework to call the APIs in java.I am using HttpUrlConnection.
GET https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills
GET https://idcs-xxxx-t0.data.digitalassistant.oci.oc-test.com/api/v1/skills/dynamicEntities
POST https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/v2/yyy
PATCH https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx
PUT https://idcs-xxxx.identity-t0.data.digitalassistant.oci.oc-test.com/api/v1/bots/xxx/DONE
Possible concept: Write a Helper class to do the API request (e.g. MyAPIClient.class). Most APIs will return a 401 HTTP error when the token is expired. Check this behaviour for this specific api. If this is the case, get a new token within this helper class and repeat the request with the new token. Cache this token for 60min after you got it (different Java Frameworks have different kind of Cache providers you can use for this). Use the helper class everywhere you want to access the api
We're using spring security (Authorisation and Resource server ) in our project.
client sends a token request (/oauth/token) with the oauth2 parameters.
spring security app creates a token for the user and respond to the client with the access_token, refresh_token, custom user object (name, organisation, email etc) and authorities (Roles).
Client adds additional roles (say ROLE_CLIENT, ROLE_USER).
spring application will store the above roles for the given user.
Next time when client sends a token request, spring security returns the previously created token (not expired yet) along with the user and authority information. This authority information is not having the latest roles (added in step4).
Here spring security always using the existing token (as it is not expired) and returning the valid token. Is this the expected behaviour even though the user object is being modified?
It sounds like you need to revoke the access token when the users roles change if you want the next request to get a new access token with the new roles and not return an existing token with existing roles if it's still valid.
At the point where you update the users roles you'd likely want to revoke the token.
I haven't personally tested this but I found a guide for it here https://www.baeldung.com/spring-security-oauth-revoke-tokens so your milage may vary.
I want to add that this does not sound like the normal OAuth2 process and you may be breaking a few conventions here which might bite you later. That said, you don't have to follow a standard if you're confident in your proposed solution.
Edit: To clarify the users roles and access is normally part of a resource and not part of the token exchange. For example you have a normal OAuth2 request which generates a token which you can exchange for an access token, as you've laid out in steps 1 and 2. Then you'd normally take that access token and request user access information from a resource such as "userinfo" service or something similar.
Your security service can also be a resource server but the two steps should be seen as different. Then when you want to modify the users roles you do this again through a resource. This means the next time you invoke the resource it'll have the up to date information without needing to authenticate the user again.
I am using JWT for authentication. Now i want to store this token which is being generated in one class, so that any other class can use it until the session expires. What is the best way to do it. My application is in spring boot.
Adding more. I am making a client which hits a rest webservice with the credentials to get the token. Now i need to store this token somewhere so that further rest requests can use it.
Is it fine to store the token in httpSession and retrieve it further.
Usually is not a good idea to store a JWT token, since it should contain all the information to identify and authorize a service user without hit the DB/persistence layer.
But maybe there are situations that require to persist it among user data. In this case you can store it in a table/collection and retrieve it while authenticating the user.
If you are using Spring + Spring Security, you can then populate a token field in a custom User implementation.
You can retrieve user data this way:
CustomUser userDetails = (CustomUser)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
It is not preferred to store a JWT token in order to protect it from CSRF.
But if you want to persist or use it anyways, one way in spring boot is you can just include the #RequestHeader parameter in any rest request with the value as "Authorization" and then you can just fetch out the jwt token from it and can use it as per your functionality :
#GetMapping("/abc")
public ResponseEntity<String> getToken(
#RequestHeader(value="Authorization") String authorizationHeader){
String jwt = authorizationHeader.substring(7);
//your functionality
return ResponseEntity.ok("JWT Token successfully retrieved");
}
Is it possible that my FB app to post on users behalf without any interaction from the user (server-side). I suspect that an initial login and request permission phase is needed, but after that I want that my app to post on their behalf for, let's say, the next month.
I'm using Java and I'm leaning towards Spring Social, but any similar framework is acceptable.
I know that this question has been asked, but I don't think with Spring Social.
The class org.springframework.social.facebook.connect.FacebookAdapter (see API) has an updateStatus method which takes a FaceBook and a String. Looks like it would do the trick.
FaceBook itself is instantiated by first acquiring an access token from facebook, and then passing the token as a String to FaceBookTemplate's constructor, like so (copied from Spring's reference docs):
String accessToken = "f8FX29g..."; // access token received from Facebook after OAuth authorization
Facebook facebook = new FacebookTemplate(accessToken);
I believe you could use Quartz to schedule and execute the task itself.