Reading the google docs (https://developers.google.com/identity/protocols/OAuth2WebServer#callinganapi), it says i can revoke token (and thus force a login with credentials) by calling credentials.revoke.
What would be the flask-oathlib way to do this?
Flask-OAuthlib itself didn't provide a way to revoke token. (I'm the author of Flask-OAuthlib)
My new project Authlib has provided a revoke_token method for OAuth 2.0. However, Google's revoke token endpoint doesn't respect RFC7009, which means the revoke_token method provided by Authlib can not be used.
You can send a HTTP request directly to revoke token endpoint:
curl -H "Content-type:application/x-www-form-urlencoded" \
https://accounts.google.com/o/oauth2/revoke?token={token}
BTW, if you need a RFC7009 revoke token method, checkout the source code in https://github.com/lepture/authlib/blob/master/authlib/client/oauth2.py
Related
I created "test-App" application in API Manager WSO2 with the grant types of "refresh-token" "SAML2", "PASSWORD" "Client Credentials" and "JWT"
I also Created a "test"
To use the webservices behind API manager, First, I should call https://localhost:9443/oauth2/token) to get a access-token
Unfortunately, if I call the link again, instead of receiving the same access-token, the system will generate a new access-token and the previous access-token would be expired. ( I think this link is more like refresh token rather than get the access token).
So, How can I Separate getting available access-token and Refresh-token link in WSO2 API Manager ?
In the latest versions of API Manager you have JWT tokens. When you request a new token it always generates a new token. But it doesn’t revoke the previous access token.
In the earlier versions of APIM, opaque tokens were supported and it has a different behavior. When you request a token, if it is not expired you get the same token.
Please read more about refresh grant here https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/refresh-token-grant/
If you have not done any other configuration changes, invoking https://localhost:9443/oauth2/token URL will always generate a new JWT token without expiring the earlier one. However, the token validity can be changed in the Dev Portal while generating the access token.
As per google's docs, I'm generating my oauth access token like this:
export TOKEN=$(~/go/bin/oauth2l fetch -jwt -json ~/.google/my-service-key.json cloud-platform)
I'm then doing requests to Google's REST API like this:
curl -v -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -d (...) $URL
The response I'm getting back from Google is that I'm not providing an OAuth token, when I clearly am:
Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
Other posts suggest to use gcloud auth application-default print-access-token instead of the OAuth token, but I know this to be the incorrect approach, as Google's API responds back that it wants a service account OAuth token and not an identity.
Any idea what's happening here?
Sometimes an old (bad) token gets cached from before you rotated the service_account.json.
Delete Cache
Try this:
rm ~/.oauth2l
Token vs JWT
And try getting an API token before you sign the JWT:
oauth2l fetch cloud-platform
Scope vs Audience
Also, the API token requires a scope (shown above), whereas the JWT requires an audience aud, which is a URL:
oauth2l fetch --jwt https://www.googleapis.com/auth/cloud-platform
ENVs
You may also want to make sure that you don't have competing configuration, see if GOOGLE_APPLICATION_CREDENTIALS is set.
echo $GOOGLE_APPLICATION_CREDENTIALS
unset GOOGLE_APPLICATION_CREDENTIALS
Or potentially use it instead of --json ./service_account.json:
export GOOGLE_APPLICATION_CREDENTIALS=$HOME/.config/google/service_account.json
HTH
I am using IS_BASE_URL/oauth2/token end point to get JWT token.
but it return only access-token. Is there any work around to get JWT token
for grant_type client_credentials and set configurable expire time of JWT_token base on client and secret key credential (service provider base)?.
In later IS versions (IS-5.4.0 onwards) we have a configuration in the file identity.xml file as below.
<SupportedGrantType>
<GrantTypeName>client_credentials</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
<IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>
Here you have to mention IdTokenAllowed as true. Then you will get id token along with the access token for client_credential grant type.
At the moment we don't have a way to configure id token or JWT token expiry time per application instead only global configuration is there. You could set id token expiry time globally in identity.xml file inside the tag IDTokenExpiration (identity.xml file by default contains the tag IDTokenExpiration)
<IDTokenExpiration>3600</IDTokenExpiration>
Update:- From the latest identity server (IS-5.6.0) onwards you could configure id token expiry time per application. You could refer https://docs.wso2.com/display/IS560/Configuring+OAuth2-OpenID+Connect+Single-Sign-On for more information.
You need provide the scope as openid.
Sample curl request is as follows.
curl -k -d "grant_type=client_credentials&scope=openid"
-H "Authorization: Basic ZjdJbk9mQ2dxRUZyckVna1hQa2dFU1BwUDk0YTpJZkhSZ0dsOHVzOXI4TlkybkxPN0tiQXQxQTRh"
TOKEN_ENDPOINT
I want to implement a custom code for token generation or you can think of removing OAuth2 from the WSO2 implementation and incorporating my specific APIs for token management. Is this possible? If yes, then please guide me how to achieve the same.
If you need to customize it fully, It means that you need to completely remove the OAuth2. There there is no worth of it. But; if you just need to customize some behaviors of the OAuth2, It can be done easily. There are several extension points for it. One main extension is that customization of OAuth2 grant types. You can find details from here and some sample for it. It may helps to do some major customization of the OAuth2 flow. Hope it would help for you.
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message. If you wish to use a different (or a custom generated) authorization token than the application generated access token, you can use it as a token exchange mechanism in mediation logic of the API. In this tutorial, we explain how to pass a custom authorization token that is different to the authorization token generated for the application.
Add the following sequence content in to a file and save it as XML file.
Log in to the API Publisher, create a new REST API
Navigate to the Runtime Configurations tab, enable the Message Mediation in Request flow. Engage the In sequence that you created earlier and click Save .
If the API is not in PUBLISHED state, go to Lifecycle tab, click REDPLOY to re-publish the API.
Go Developer Portal, subscribe and obtain a token to invoke the published API.
Install any REST client in your machine. We use cURL here.
Go to the command line, and invoke the API using the following cURL command.
In this command, you pass the token that the backend expects, i.e., 1234, in the Custom header with the authorization token that the system generates in the Authorization header.
curl -H "Authorization: Bearer " -H "Custom: Bearer 1234"
NOTE
is the token that you got in step 20.
appears on the API's Overview page in the API Developer Portal. Copy the HTTP endpoint. If you select the HTTPs endpoint, be sure to run the cURL command with the -k option.
Note the response that you get in the command line. According to the sample backend used in this tutorial, you get the response as "Request Received."
FOR MORE EXPLANATION, PLEASE VISIT THIS LINK
[LINK] : https://medium.com/#PrakhashS/passing-access-token-to-oauth2-protected-backends-wso2-api-manager-7d0671a0afca
I want to develop a Django application to send message thr google c2dm server to andriod device.it uses OAuth2 to authorization.
first i got the credentials and store it in the storage as storage and then i want to get the credentials from
storage and send this credentials together other params and headers to c2dm api.
i could get the credentials for scope https://android.apis.google.com/c2dm and store it in storage.
please some one guide me,how can i make the request with credentials and send to https://android.clients.google.com/c2dm/send to deliver.
Thanks in advance,
I suppose you've been able to perform step 2 Exchange authorization code for tokens on Google OAuth 2.0 Playground. Then you should have acquired a refresh token and an access token (if you didn't receive a refresh token, verify that you have checked Force approval prompt and selected offline for Access type in the OAuth 2.0 Configuration.
The access token will expire after some time (usually 1 hour), but the refresh token does not. The refresh token (together with the OAuth Client ID and the OAuth Client secret) can be used to obtain a new access token:
curl --data-urlencode "client_id=OAuthClientID"
--data-urlencode "client_secret=OAuthClientSecret"
--data-urlencode "refresh_token=RefreshToken"
-d "grant_type=refresh_token" "https://accounts.google.com/o/oauth2/token"
(Replace OAuthClientID, OAuthClientSecret, RefreshToken). For futher reading refer to: Using OAuth 2.0 for Web Server Applications - Offline Access
Now you can use this access token and the registration ID of the device to send messages to that device using C2DM:
curl -k -H "Authorization: Bearer AccessToken"
--data-urlencode "registration_id=RegistrationID"
--data-urlencode "collapse_key=0"
--data-urlencode "data.message=YourMessage"
"https://android.apis.google.com/c2dm/send"
(Replace AccessToken, RegistrationID and YourMessage)