Warning: I am a total JWT newb and trying to figure it all out.
First...what I understand:
JWT contains three segments separated by . The first part can be base64 decoded to get "something" where I can validate the claims in the 2nd (and 3rd?) segment.
I am able to get the id_token back and can separate each segment into its respective JSON object...but thats not secure at all :)
I took a look at this https://github.com/firebase/php-jwt but I am unsure what KEY I need to supply to decode the JWT (I know I can decode the first segment and get the kid used for the JWT but when I have that specific key object...I'm not sure what to pass to firebase to decode it? https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in
Please excuse my horrible understanding of JWT :/
EDIT: More Info
Using this ID TOKEN:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IklkVG9rZW5TaWduaW5nS2V5Q29udGFpbmVyIn0.
eyJleHAiOjE0NDIzNjAwMzQsIm5iZiI6MTQ0MjM1NjQzNCwidmVyIjoiMS4wIiwiaXNzIjoiaHR0cHM6Ly9s
b2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzc3NTUyN2ZmLTlhMzctNDMwNy04YjNkLWNjMzExZjU4ZDkyNS92
Mi4wLyIsImFjciI6ImIyY18xX3NpZ25faW5fc3RvY2siLCJzdWIiOiJOb3Qgc3VwcG9ydGVkIGN1cnJlbnRs
eS4gVXNlIG9pZCBjbGFpbS4iLCJhdWQiOiI5MGMwZmU2My1iY2YyLTQ0ZDUtOGZiNy1iOGJiYzBiMjlkYzYi
LCJpYXQiOjE0NDIzNTY0MzQsImF1dGhfdGltZSI6MTQ0MjM1NjQzNCwiaWRwIjoiZmFjZWJvb2suY29tIn0.
h-uiKcrT882pSKUtWCpj-_3b3vPs3bOWsESAhPMrL-iIIacKc6_uZrWxaWvIYkLra5czBcGKWrYwrAC8ZvQe
DJWZ50WXQrZYODEW1OUwzaD_I1f1HE0c2uvaWdGXBpDEVdsD3ExKaFlKGjFR2V7F-fPThkVDdKmkUDQX3bVc
yyj2V2nlCQ9jd7aGnokTPfLfpOjuIrTsAdPcGpe5hfSEuwYDmqOJjGs9Jp1f-eSNEiCDQOaTBSvr479L5ptP
XWeQZyX2SypN05Rjr05bjZh3j70ZUimiocfJzjibeoDCaQTz907yAg91WYuFOrQxb-5BaUoR7K-O7vxr2M-_
CQhoFA
I can decode the header segment eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IklkVG9rZW5TaWduaW5nS2V5Q29udGFpbmVyIn0 to {"typ":"JWT","alg":"RS256","kid":"IdTokenSigningKeyContainer"}
then looking at https://login.microsoftonline.com/fabrikamb2c.onmicrosoft.com/discovery/v2.0/keys?p=b2c_1_sign_in
I know that this key object was used
{"kid":"IdTokenSigningKeyContainer","use":"sig","kty":"RSA","e":"AQAB","n":"tLDZVZ2Eq_DFwNp24yeSq_Ha0MYbYOJs_WXIgVxQGabu5cZ9561OUtYWdB6xXXZLaZxFG02P5U2rC_CT1r0lPfC_KHYrviJ5Y_Ekif7iFV_1omLAiRksQziwA1i-hND32N5kxwEGNmZViVjWMBZ43wbIdWss4IMhrJy1WNQ07Fqp1Ee6o7QM1hTBve7bbkJkUAfjtC7mwIWqZdWoYIWBTZRXvhMgs_Aeb_pnDekosqDoWQ5aMklk3NvaaBBESqlRAJZUUf5WDFoJh7yRELOFF4lWJxtArTEiQPWVTX6PCs0klVPU6SRQqrtc4kKLCp1AC5EJqPYRGiEJpSz2nUhmAQ"}
so...what value for the key would I pass to firebase?
Just in case anyone is looking to get up and running quickly and/or is confused as I was; may I recommend the link #astaykov pointed out in the question's comment
https://github.com/Azure-Samples/active-directory-b2c-php-webapp-openidconnect
Along with a simple class I created for Authorization Code grant (handles getting SSO URL, OAuth2 token and validating id_token using external libraries)
https://gist.github.com/rcosgrave/ec92938181096fd8847a38c9cc6a37d0
Related
I'm trying to get my head around adding oauth2 to an API I've created.
Currently, I've got calls that require a unique key in the URL e.g.
https://apilocation.com/api/{unique_key_here}/action/
I've just added the ability for someone to get an access_token using:
https://apilocation.com/api/{unique_key_here}/oauth2/token
and a username + secret key
which works fine and returns the token in a JSON array.
https://bshaffer.github.io/oauth2-server-php-docs/cookbook/
is what I'm following
Where I'm stuck is how to best get them to use the access and pass it in their calls to the API. I could get them to get the token each time they want to use the API and then include that in all their calls so I can validate but that seems clunky. The background is built on PHP and MySQL and I want it to be easy for people who aren't very used to coding to be able to make calls.
I've looked at the following:
passing in the request url
passing it as a post var
partially as a header but felt it was clunky for a new user
I am using https://www.facebook.com/v2.10/dialog/oauth endpoint to get access tokens in order to publish on behalf of my users.
I am trying to follow this guide: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/
My request looks like this: https://www.facebook.com/v2.10/dialog/oauth?client_id=...&response_type=code%20token%20granted_scopes&redirect_uri=...
And I am getting the following back: http://localhost:8000/?%2Fcallback&some=query#access_token=...&expires_in=6094
The question is why I am getting the token and expire_in as hash (notice the # above) instead of part of the query string so I can capture it by PHP's $_GET? And how can I fix that?
The question is why I am getting the token and expire_in as hash (notice the # above) instead of part of the query string so I can capture it by PHP's $_GET? And how can I fix that?
The parameter response_type specifies what you get back, see https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login
You can choose whether you want a code returned as GET parameter, a token in the hash - or both, for a client- and server-side app that might need the/a token on both, but would on the server-side rather exchange a code via API, than trust a token send from the client. And you can also ask for the granted scope of permissions the user accepted - for apps that need to know whether certain essential permissions were granted, that can save an extra API request.
I have a PHP backend and an Android client. With the client the users can log into my app using either Google or Facebook, both via Firebase. I get the token from the FirebaseUser and send it to my server. It is straightforward that the first section (the header) contains the algorithm (which is RS256) and the second one (the payload) has all the user related data. There's a third section which is the signature of the first two to enable verification on my backend. The problem is, I don't know how to do that. More specifically with what.
I used JWT.io to check my token and tried to verify it with no luck. Since the algorithm used is RS256, the verification should be done via the public key. But what public key? I tried with my app's keystore, tried it with Google's certs, but it just keeps saying it's invalid. I understand that the header's kid field is the signing key's ID and I should look for it, but I don't know where.
The Firebase docs don't help either. There is a guide about ID token verification, but that's just useless because it's Java / Node.JS and it still doesn't say anything about public keys.
So the question is: where do I get the public keys from?
Okay, so I dug into the source of the Firebase Server SDK and found the location of the public keys:
https://www.googleapis.com/robot/v1/metadata/x509/securetoken#system.gserviceaccount.com
Don't really know why they just couldn't put it on their website...
Anyways, I'm not sure, but I guess that these keys change on a daily basis (just like the OAuth2 keys do), so you must check and re-cache them on your server every now and then.
Also, you have to check the following values:
alg == "RS256"
iss: https://securetoken.google.com/<firebaseProjectID>
aud: <firebaseProjectID>
sub is non-empty
Found these at this similar question (just scroll to the bottom of the answer), which was found by searching for that specific googleapis.com URL.
This may be duplicated with other articles, but I can't figure out how to do it after reading all of those.
I'm working on a back-end project in PHP and we are isolated from the front-end. According to the documentation from the front-end team, they will pass an access token and need the back-end to pull userid from Twitter's server.
Is there any way to do it? I could pull the data if I have oauth_signature and oauth_nonce, but they only give us the access_token.
I could pull the data if I have oauth_signature and oauth_nonce
That's not correct. oauth_signature is generated based on the application secret and request parameters. oauth_nonce is just a random string
So you need to get access_token and access_token_secret and perform a GET account/verify_credentials request
Further reading:
https://dev.twitter.com/docs/auth/implementing-sign-twitter
https://www.rfc-editor.org/rfc/rfc5849
Today, after we migrated to the new members permissions api, everything goes wrong.
Im using the cosumer key and secret that i've got from the linkedin api dashboard itself with the oauth token and secret as well.
There is 3 kind of problems that keeps on coming:
first one:
{"errorCode": 0,"message": "Could not find person based on: ~","requestId": "7GPT96SW3C","status": 404,"timestamp": 1369827647671}
second:
<error><status>401</status><timestamp>1369826490661</timestamp><request-id>ZYWPUD43G3</request-id><error-code>0</error-code><message>[unauthorized]. The token used in the OAuth request is not valid. ******</message></error>
third:
com.linkedin.anet.auth.pub.ANetAuthException: other: anetID=*****
has anyone got some of these too? if yes, so how did you solved them?
thanks!
Once you have authenticated the user, you no longer need to make the access token calls - simply store the access token and reuse that for the subsequent requests.
Check are you sending a request once or twice for authentication, there may be the case your token getting replaced by another request.
I've gotten the "401<" and fixed it by correcting the URL which I was formatting incorrectly and consequently requesting a resource that did not exists (reported as unauthorized). You probably have the same issue with your 404 error. Can you please post the specific URLs you are using. That would give a little more insight. Also, make sure that you are not passing params via GET when you should be passing them via POST and that all your POST requests are via HTTPS