Showing posts with label JWT. Show all posts
Showing posts with label JWT. Show all posts

Thursday, 27 July 2023

Use Postman to get your MFA Bearer token

Short recording to show how to get my Bearer token using my Microsoft AAP account.

Get MFA bearer token using postman

I used this post to help me: Authorizing requests overview | Postman Learning Center

Posted by Paul Beck at 20:59 0 comments
Labels: , , ,

Monday, 26 October 2020

Identity Server - OAuth and OIDC

Overview:  The current version of Identity Server is 4.  Identity server is basically a .NET Core 3.1 application that is an Identity Provider (IdP) similar in role to PingId, SiteMinder, AAD b2C.  Identity server allows applications (native mobile, websites and servers) to securely authenticate users.  In this post, OAuth means OAuth2.0.

OAuth2 Grant Types:

Flow Description Client Grant Type
Authorisation with PK Authorisation Code Grant Type.  Default choice for authorization. Native mobile Apps, Windows app, Browser Apps Code
Client Credential Server-to-server (S2S) communication is also referred to as Machine-to-machine (M2M). Server,Consoles,Services ClientCredentials
Implicit Instead, use the Authorisation Code Flow with PKCE (if possible) Native Apps & SPA's often use Implicit Flow Implicit
Hybrid
Device Primarily for devices with limited input capabilities, it allows users to authenticate by entering a code on a separate device with a browser. IoT devices, anything with limited input capabilities. Also can be for Native mobile Apps, Windows apps, and Desktop consoles. Device
Resource Owner Pswd Don't use

Scopes: The authorisation Server specifies the "scope" that the user has consented to.  So, for an API, you can limit the actions the user can perform.  Scopes must be unique strings.  Recommendation is to name your scopes by the API and the Verb, e.g. "pauls_api.read" is better than "read".  Scopes are used to give the user access to resources, so "read" is not a good idea.  Also, scopes have length limits, so don't be crazy verbose in naming.

Mandatory Endpoints:  OAuth specifies 2 endpoints, namely:
  1. /authorization endpoint - gets the access grant and user consent (only code and implicit flows use this endpoint)
  2. /token Endpoint - issues tokens (client credential only uses the token endpoint, obviously code & implicit flow use both endpoints)
Optional Endpoint Extensions:
  • /revoke - used to revoke a token
  • /userinfo - used to hold profile info for the user, e.g. name, email.  The /userinfo endpoint is used in OIDC implementations of OAuth and specifies that the user must use the following scopes: address, phone, email, and profile.
  • /.well-known/oauth-authorization-server - useful to discover the actual OAuth implementation.
Tokens
Access Token:
  • JSON Web Token (JWT), pronounced "JOT", is an access token that contains authorisation and profile data.  The alternative is to use Opaque to JWT, but most implementations use JWT.  
  • JWT's need to be validated using the signature.  The JWT Access Token is base64 encoded and consists of three parts separated by period signs, i.e. , HEADER.PAYLOAD.SIGNATURE


Refresh Token:
  • Refresh tokens are opaque
  • Single endpoint with a single function to get a new Access Token.


Interactive description of the OAuth Code Flow process:


Posted by Paul Beck at 23:07 0 comments
Labels: , , , , , , ,

Tuesday, 12 February 2019

Using Box.com Programmaticly - Part 2

Also see: Part 1 post on Using Box.com and Troubleshooting Box.com programmatic access.

Overview:  The last post outlines programmatic access box.  This post shall do the same but use the JWT approach that does not expire the access token.

Steps:
  1. Setup the JWT
  2. Retrieve the config.json file
  3. Program out access as shown below using the .NET SDK for Box.com:
        private static BoxClient GetAuthenticatedClient()
        {
            try
            {
                IBoxConfig config = null;
                using (FileStream fs = new FileStream(ConfigSettings.ConfigFilePath, FileMode.Open))
                {
                    config = BoxConfig.CreateFromJsonFile(fs);
                }
                var jwt = new BoxJWTAuth(config);
                var userToken = jwt.UserToken(ConfigSettings.UserId);
                return jwt.UserClient(userToken, ConfigSettings.UserId);
            }
            catch (Exception ex)
            {
                Utilities.WriteLog("GetAuthenticatedClient", ex.Message, ex.StackTrace);
            }
            return null;
        }

var fr = new BoxFolderRequest                {
            Name = FolderName,
            Description = "Created through code",
            Parent = new BoxRequestEntity { Id = "6665556661"}

            };   // Specify the new folder details
BoxClient = GetAuthenticatedClient();
var folder = BoxClient.FoldersManager.CreateAsync(fr, null).Result;  // Create a new folder

Alternatively create the JWT by hand and don't use the SDK's:




















Simple C# SDK example using a JWT








The below image outlines the Developer console settings I used to get Box.com SDK working for C#

 Tip:  Ensure the App has been shared with the folder you are working on, unless your app has enterprise rights, then it's work anyway.











To see the email adress of the app, you can use the following URL: https://paulbeck.app.box.com/app-api/enduserapp/contacts


Posted by Paul Beck at 13:04 0 comments
Labels: ,
Subscribe to: Comments (Atom)