I try to develop custom workplace widget for sharepoint. But, in documentation, I does not find how to authenticate users! Only with app access_token or impersonate_token, which is not secure...
Here's an endpoint for generate bearer access_token via sso? Or SAML assertion?
No, you can communicate with Workplace via API only using access_token.
Related
i using wso2 to manager my group's api,so i publish my api to wso2 Publisher. My api has its own authentication by send a bearer token.The swagger document have the authorize button ,but when i import my api definition in wso2 Publisher.the authorize button is disappear.
i have these question
1、How should I send the original beaer token?
2、when i use swagger3 definition,it show some error,swaager3 is not supported by the import function?
anyone has suggesstion?
my wso2 version is: WSO2 API-M v4.1.0
WSO2 API Manager does support Swagger2 and Open API Specification (OAS) 3 and above.
And with regard to Bearer tokens in API Manager, you can generate a bearer token using the DevPortal for your APIs. You need to create a new Applicaiton, and subscribe to your API, and then you can generate a new JWT-based bearer token.
Please check this section in detail - https://apim.docs.wso2.com/en/latest/consume/consume-api-overview/
If your backend is OAUth protected you can use Endpoint security to add OAuth configs to generate a backend bearer token when calling the API. Take a look at this document.. Also if you want to import backend certificates to API Manager take a look at this document.
I have a Django application that doesn't have MVC pages and most of the data is served/posted via restful API powered by django-rest-framework. My userbase is in Azure single tenant AD, so I am trying to get the SSO going for them.
I am using django_auth_adfs to authenticate users against the Azure AD. Most of the stuff seems to work and the module takes care of the redirects and establishing the Django sessions for the client. Specifying the right permission_classes for the API ViewSets will make sure only authenticated users can access it it works fine via browser with proper django session cookie.
What I can't figure out is how to get the JWT token that I can give the UI client so that it could interact with the django-rest-framework API by supplying the JWT bearer and not relying on the session.
The documentation is not very specific on these details (besides the password grant that isn't quite relevant for my scenario).
It is clear how to get a token from Google(or any other OAuth provider). But I do not understand where shoud I do it - server part or client part.
For example: I have a backend on Flask with unified API for Android, iOS and web(js/react) apps.
Where do I need to get a token? On the client (Android for example) part and send it to server or in my Flask app after request from client? Where should I get data from provider? How at all works interaction between client and server while using OAuth?
Would be pleased for some explanations or links on some guides
Your UIs will manage redirecting the user to authenticate - after which the UI is given an access token to call the API with.
The OAuth provider is the entry point for authentication and issues an access token afterwards.
The API uses the access token to identify the user and authorize access to resources.
A good way to understand OAuth is the HTTP messages - my blog post highlights these, and they are largely the same for SPAs and mobile.
There are also some code samples on my blog which you can run, in case useful.
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
Can Oauth2 be used for authorization and authentication?
As I understand it, Oauth2 authorizes a consumer application to access user information from providers (e.g. Facebook, Google, Twitter, etc).
But can Oauth2 be used to authenticate a user? For example, suppose we have an app comprised of native mobile frontends and a backend api - can Oauth2 be used to valid and maintain authentication on top of the authorization from providers like Facebook, Google, Twitter, etc?
If yes, how? For example, do we persistent the auth token and use it as a session token? Or is OpenId Connect required for authenticating users to a "consumer" app via third-party providers?
OAuth 2.0 in its spec-compliant form cannot be used for user authentication. Having said that, one can develop an extension to OAuth 2.0 that would allow for user authentication. Some providers, e.g. Facebook, have done just that.
But there is also a standardized extension of OAuth 2.0 that allows for user authentication, called OpenID Connect. OpenID Connect is required indeed if you want to authenticate users to a consumer app via 3rd party providers in a standardized way. The token format of OpenID Connect is a JWT and the token itself is called id_token. You may use an id_token as a session token.
For an extensive article on OAuth 2.0 and user authentication see http://oauth.net/articles/authentication/