kandi X-RAY | oAuth2 Summary
kandi X-RAY | oAuth2 Summary
The required spring oauth data structure is created as JPA entities.
Top functions reviewed by kandi - BETA
- Get user details by username
- The name
- Gets the password
- Returns the set of user authorities
- Gets the username
- Gets the authority
- Sets the granted authorities
- Set the password
- Set the user name
- The default token services
- Add JWT access token converter
- The JWT token store
- Configure the client details
- Configure the client with the given endpoints
- Configure the OAuth server
- The main entry point
oAuth2 Key Features
oAuth2 Examples and Code Snippets
Trending Discussions on oAuth2
I currently work on an legacy app which somewhat loosely implements an OAuth2 flow. In short, when the user logs in with username/password, he receives an access/refresh token pair. The access token expires after 20 minutes whereas the refresh token has a lifetime of 180 days.
Now when the client gets a HTTP 401 Unauthorized due to an expired access token, it will use the refresh token to obtain a new access/refresh token pair. At the same time, we invalidate the old token pair in our backends database (we simply delete the entry).
This has some major issues since our clients are mobile apps and it sometimes can happen that a response from our server is not received by the client. So after our backend saves the new token pair, which the client doesn't receive due to for example network problems, the client no longer can get a new token pair because he still only knows about the old - now invalid - refresh token.
I was wondering if what we are doing is correct or whether we actually should never remove old refresh tokens from the DB as long as they are not expired. Or should we for example remember the last 1 or 2 refresh tokens for a user so even if a new one was created, if the client doesn't receive the response from our server, he can still try one or two times again with the old refresh token.
Or should we simply never send out new refresh tokens when obtaining a new access token and always use the same refresh token?
Is there any best practice to follow or is this all personal taste? I mean we can't be the first ones to run into this issue of mobile clients loosing responses due to network issues, right? :)...
ANSWERAnswered 2022-Mar-11 at 09:08
MEASURING MOBILE CONNECTIVITY OCCURRENCES
When there are mobile connectivity problems, I would expect the refresh token grant
request to fail. For the request to succeed and the
response to fail to reach the client (in such a small time window, eg 200ms) feels very much like an edge case.
I would aim to ensure good production logging around what is happening server side, so that you can be clearer about exact causes. It is easy to jump to the wrong conclusions otherwise.
ROTATING REFRESH TOKENS
The preferred behaviour from a security viewpoint is to revoke all tokens for the user when an old one is reused. However, the OIDC Specs indicate that this can cause usability problems in some setups, in which case
other measures may be appropriate.
Exact behavior is provider specific - some Authorization Servers store and flag old refresh tokens and may allow them to be reused for a time period configured against the client application.
SECURITY v USABILITY
If dealing with high worth data I would use the more secure option, but if mobile consumption data is not especially sensitive, using non-rotating refresh tokens might be an appropriate measure.
In some cases OAuth clients will get a 401 when using a refresh token, and in addition to the case you mention, there are other possible causes:
- Token signing or cookie encryption key renewal (in some setups)
- Infrastructure changes such as a load balancing failover to alternate site (in some setups)
Apps should always be coded reliably to deal with this, eg:
- When an API call fails with a 401, try to refresh the access token
- When a token refresh fails, eg with a 401 or an
invalid_grantvalue in the
errorresponse field, the user must re-authenticate
Note that re-authentication is sometimes a single sign on event. To see how this looks, you can run my Demo Single Page App and click
Expire Refresh Token, then
You cannot always guarantee no re-logins for 180 days in a distributed systems world. In terms of next steps, my preference would be to properly identify the cause and frequency of failures, and to see if reliability could be improved in the client application's code.
We have some apps (or maybe we should call them a handful of scripts) that use Google APIs to facilitate some administrative tasks. Recently, after making another client_id in the same project, I started getting an error message similar to the one described in localhost redirect_uri does not work for Google Oauth2 (results in 400: invalid_request error). I.e.,
Error 400: invalid_request
You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy for keeping apps secure.
You can let the app developer know that this app doesn't comply with one or more Google validation rules.
The content in this section has been provided by the app developer. This content has not been reviewed or verified by Google.
If you’re the app developer, make sure that these request details comply with Google policies.
How do I get through this error? It is important to note that:
- The OAuth consent screen for this project is marked as "Internal". Therefore any mentions of Google review of the project, or publishing status are irrelevant
- I do have "Trust internal, domain-owned apps" enabled for the domain
- Another client id in the same project works and there are no obvious differences between the client IDs - they are both "Desktop" type which only gives me a Client ID and Client secret that are different
- This is a command line script, so I use the "copy/paste" verification method as documented here hence the
urn:ietf:wg:oauth:2.0:oobredirect URI (copy/paste is the only friendly way to run this on a headless machine which has no browser).
- I was able to reproduce the same problem in a dev domain. I have three client ids. The oldest one is from January 2021, another one from December 2021, and one I created today - March 2022. Of those, only the December 2021 works and lets me choose which account to authenticate with before it either accepts it or rejects it with "Error 403: org_internal" (this is expected). The other two give me an "Error 400: invalid_request" and do not even let me choose the "internal" account. Here are the URLs generated by my app (I use the ruby google client APIs) and the only difference between them is the client_id - January 2021, December 2021, March 2022.
Here is the part of the code around the authorization flow, and the URLs for the different client IDs are what was produced on the
$stderr.puts url line. It is pretty much the same thing as documented in the official example here (version as of this writing).
ANSWERAnswered 2022-Mar-02 at 07:56
steps.oauth.v2.invalid_request 400 This error name is used for multiple different kinds of errors, typically for missing or incorrect parameters sent in the request. If is set to false, use fault variables (described below) to retrieve details about the error, such as the fault name and cause.
- GenerateAccessToken GenerateAuthorizationCode
I implemented a rest authorization server that returns the public-key for a given keyId in the JWK format using the
com.nimbusds:nimbus-jose-jwt:9.13 package. The code looks something like this:
ANSWERAnswered 2021-Sep-01 at 16:35
The answer is to use
String for (de)serialization for those facing this problem. Why, you ask? According to the RFC, JWK is a string in the JSON format. While
nimbusds:nimbus-jose-jwt defines a JWK object, any APIs that return valid JWK (or
JWKSet) can assume that it's a string.
I also raised this issue with the developers of this package, and they recommended using
Map for (de)serialization.
I am trying to write a function that will validate a Google id token.
The oauth2 package requires me to pass in the context when creating a new service, like this:...
ANSWERAnswered 2022-Mar-08 at 10:53
try this :
also don't use pointer in arg
ctx in function
ValidateToken because context.Context in stdlib is interface
I am using Spring Security along with Spring Authorization Server and experimenting with creating an auth server.
I have a basic flow allowing me to login with the pre-built login page (from a baledung guide - this is the code I'm working off ). I'm assuming this login page form comes from
formLogin() like so:
ANSWERAnswered 2021-Oct-07 at 20:54
Re your comnent: "I'm attempting to build an Authorization Server":
Coding your own Authorization Server (AS) or having to build its code yourself is highly inadvisable, since it is easy to get bogged down in plumbing or to make security mistakes.
By all means use Spring OAuth Security in your apps though. It is hard enough to get these working as desired, without taking on extra work.
Choose a free AS and run it as a Docker Container, then connect to its endpoints from your apps.
If you need to customize logins, use a plugin model, write a small amount of code, then deploy a JAR file or two to the Docker container.
This will get you up and running very quickly. Also, since Spring Security is standards based, you are free to change your mind about providers, and defer decisions on the final one.
Curity, along with other good choices like Keycloak or Ory Hydra are Java based and support plugins:
I searched a lot how to authenticate/authorize Google's client libraries and it seems no one agrees how to do it.
Some people states that I should create a service account, create a key out from it and give that key to each developer that wants to act as this service account. I hate this solution because it leaks the identity of the service account to multiple person.
Others mentioned that you simply log in with the Cloud SDK and ADC (Application Default Credentials) by doing:...
ANSWERAnswered 2021-Oct-02 at 14:00
You can use a new gcloud feature and impersonate your local credential like that:
I am working on a simple web app for learning purposes using Angular for the frontend and Java Spring for the backend. I don't have a particular problem that I want you guys to help me out with, instead I have a question about OAuth2 authentication.
I have registered my Angular SPA in Azure AD (Authorization Code Flow + PKCE), I set up roles and everything is working okay. My question is what do I do when authenticated users ping my backend? My backend has no information about the users.
I thought of a solution to make a web filter, and every time an authenticated user pings any endpoint requiring the user to be authenticated, to check the database if the user exists (through the username), and save him if he does not exist. I'm pretty sure this will work, but I don't think this is the best solution, considering my web filter will have to read from the databases for every single HTTP request that comes in, and write to the database occasionally (if the user logs in for the first time).
I shouldn't be worried about performance issues because I'm building this strictly for learning purposes, but nevertheless I want to do this the right way. I tried googling this in multiple ways, but I guess I'm not using the right keywords to find what I'm looking for. Any opinion or advice would be much appreciated! Thanks!
EDIT: I followed this article to achieve the OAuth2 + OIDC authentication and authorization, my security config in the backend is the same: https://ordina-jworks.github.io/security/2020/08/18/Securing-Applications-Azure-AD.html...
ANSWERAnswered 2022-Feb-10 at 15:47
Post the discussion with clarity on the requirements. If you want to use have the following:
- Accept an Azure AD logged in user to consumer your web service
- You would want to check if the user exists in your application database with minimal network latency.
With the requirement of not always hitting your Database, one option is to use a cache.
The ideal solution for this cache to work is:
- Ensure the cache is checked for every HTTP Request using Web Filter
- Make sure the cache is always updated with the latest users being logged in via Azure AD
I have some trouble configuring my Windows to work with
az command line tools. I have tested multiple configuration. One on locally installed system and one with windows based docker container. I get the same error on both system.
In case I issue the following command:...
ANSWERAnswered 2022-Jan-31 at 15:27
Finally I was able to resolve the issue as follows:
I've found the following documentation:
The basic idea is to find the python installation used for Azure CLI and update the related certificate file.
In my case the Azure CLI was installed with python on the following location:
C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe
And using the command, that was suggested, returned as follows:
I'm trying to figure out how to setup a login via Discord Oauth2 while using Dapper as my ORM.
Microsoft has a guide here that I have followed to setup all of my stores. I infact can call
CreateAsync() method and a user gets created in my database, so I believe that side of things is completely setup.
My issues lie within external login. Below you will find what I have tried.
ANSWERAnswered 2022-Jan-29 at 17:34
Firstly... We need to take a look at the implementation of the internal method GetExternalLoginInfoAsync inside SignInManager.cs and take note of all the conditions that could possibly lead to null being returned.
I will provide my answer as comments within the code below:
I have the following handler...
ANSWERAnswered 2022-Jan-27 at 18:41
When you use the
swagger:parameters annotation, go-swagger treats that structure as the description of all the parameters to an API endpoint, that includes headers, query params, and the body. So you need a structure that defines all these types of parameters, and another structure to define the actual body structure. Thus, as far as I know, there is no way to get rid of the second struct that includes the body, because a body is not the only parameter to an API.
No vulnerabilities reported
You can use oAuth2 like any standard Java library. Please include the the jar files in your classpath. You can also use any IDE and you can run and debug the oAuth2 component as you would do with any other Java program. Best practice is to use a build tool that supports dependency management such as Maven or Gradle. For Maven installation, please refer maven.apache.org. For Gradle installation, please refer gradle.org .
Reuse Trending Solutions
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page