The use case occurs once user is authenticated and obtain an oAuth2 access token from Wso2 API Manager and we want to obtain username again from this access token.
To obtain access token I've followed normal steps published on: [API Manager] (http://docs.wso2.org/display/AM160/Token+API#TokenAPI-GeneratingaccesstokenswithusercredentialspasswordgranttypeGenerating)
Does WSO2 AM provide any REST method to solve it?
Yes.. There would be two ways that you can obtain user name
APIM would return the user name with the Access token. Here user name would be embedded with the access token. You can find more details from here
You can obtain the user name and user's attribute during access token verification process. Once access token is verified successfully, It would return back with JWT token which contains user's attributes. Then you can extract use name from JWT. You find more details on here. Basically inside the APIM, you can extract JWT token in transport header. But, if you want to retrieve the JWT token for the use of your application, you can send the access token to "OAuth2TokenValidationService" service and validate it and then it return back with JWT. (But "OAuth2TokenValidationService" is a web service.). You can use web service client to invoke this service (such as SOAPUI)
Related
I'm using django-oauth-toolkit with djangorestframework where our partner user will register their application and get application credentials (client id and client secret) which then used to get access token that can be used further to get our server resources. Upto now I'm able to convert those form based application registration process and other apis through rest. But while I hit for access_token only access token with expire are coming as response. Refresh token also supposed to come along the access token but it's not. What I'm missing here...
Below is the sample api response for access_token
And the oauth2 settings
FYI: I'm using Client type as "Confidential" and Authorization grant type as "Client Credentials"
Findings: This may be helpful for others
There is no need for refresh token for grant type client credentials.
Further descriptions RFC doc ; grant type client credentials
I trying to revoke all permission on withdrawl user
facebook document said will be conducted by calling Url with 'user access token or app access token
https://graph.facebook.com/me/{user_id}/permissions
but i cant attaching user access token in this request, but i can attach app access token in query params.
so i requested this url with app access token, but response message is
"An active access token must be used to query information about the current user."
Can I really request it with an app access token?
/me/{user_id}/ makes no sense as request path here.
You either use /me, in combination with a user or page token - then that alias will resolve to the actual ID of the entity the token belongs to.
Or you use an app-scoped user ID directly.
If you want to perform any actions on a user account using the app access token, then you must use the second version.
https://graph.facebook.com/{user_id}/permissions?access_token={app_access_token}
We have REST Web API written in .NET CORE, which are used on REACT SPA, we are using OKTA with PKCE.
For our API(s) we have end to end test cases written using postman/newman, the API(s) depend on JWT access token for finding user details.
How can I get access token from OKTA for PKCE flow without user interaction?
I followed this for getting access token but even this one throws a browser window for username/password.
https://developer.okta.com/docs/guides/implement-oauth-for-okta/request-access-token/
Is there a way I can pass username and password in the payload and get access token back?
In essence I am after a flow which lets me fetch access token using resource owner username and password on PKCE flow.
It seems with SPA configuration it isn't possible as per OAuth specifications.
Had to create a native app with PKCE and used "Get Access Token with Resource Owner Password Credentials" API in the postman collection available on OKTA
Is it possible to use the Cognito Access Token to generate an ID Token? I couldn't find any documentation on this online.
I'm trying to get an ID Token with custom claims, but the existing solutions don't work for my situation (details here). As a workaround, I'm thinking of manually asking Cognito for an ID Token directly with the Access Token after the user logs in.
What I tried
calling Cognito's /oauth2/userinfo endpoint only returns the basic claims, not the custom claims I had added via the pre token generation lambda trigger.
Adding custom claims/attributes to the access token. Seems like that's not supported.
Idea I haven't explored: use Amplify and somehow get ID Token through there?
You can use your access token to call the getUser method on the Cognito API:
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
That will provide the user attributes:
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
This provides the same data as you get on the ID token.
No.
If you need attributes inside an ID token, excluding open id claims such as exp, iss, aud, then maybe it's possible.
But if you need ID token (compliant with OIDC standard claims), then it is only issued by cognito upon specific cognito events.
The purpose of the ID token is to identify the user. ID token is often sent along the Authorisation header of a request to the backend server to be validated as a security measure. Knowing the purpose of the ID token, it will not be strange to understand why there are only specific ways to obtain the ID token.
I am using WSO2 access Grant for securing a web application.when the user logs in with right credential, I generate the token successful by invoking /oauth2/token service. I store this at the client side and when user invokes the next set of APIs, user hits my API with this token. How can validate the token now ?how can I validate the token to check the scope ? Which serviceI can use for validating the token and user is passing the right token associated with him??
You can use OAuth Introspection Endpoint[1] to validate the token,scope
[1] https://docs.wso2.com/display/IS530/Invoke+the+OAuth+Introspection+Endpoint