Forum Replies Created
July 13, 2016 at 8:45 am #11996
Base URL provider also didn’t work as I had mentioned in the problem statement. I fixed it by having a proxy in http connector of the apache tomcat server.April 11, 2016 at 7:22 am #9425
Hi Yogesh, for revoking use DELETE method and amadmin token instead of POST and clientid/secret.April 11, 2016 at 6:43 am #9423
Hi Rajesh, Thanks for the quick reply. The issue I described is slightly different from it. The issue I am facing is that the OAuth2.0 authorization consent page is trying to load a unsecure content(JS, img) over a secure connection. Hence the browser shows a blank page with a notification to user on the top right corner which says:
This page is trying to load scripts form unauthenticated source.
Load unsafe scripts.
When we click on “load unsafe scripts” the consent page comes up and the flow works fine from there. My concern here is how/where/what to configure in OpenAM so that it loads all the contents of the html(here consent form) based on the protocol user requested(in this case HTTPS).October 26, 2015 at 6:12 am #5959
Another issue(not sure if it is actually an issue):
Step 1. Acquiring the Access token:
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW (Generated using client username and client password)
OpenAm returned a successful response with Access token and refresh token.
Note: Here Authorization header contains the credentials of OAuth2.0 client and in body username and password is also of another OAuth2.0 client(Not sure of the actual use case where this can be used).
Step 2. Trying to delete this token using:
/frrest/oauth2/token/<token-id> (DELETE request)
This returns “Access Denied”.
So in my opinion either Step 1 should(if client credentials cannot be used in body) fail or Step 2 should pass(User should have ability to revoke any access/refresh token he has granted access to any client). Let me know your thoughts on this.
SyedOctober 16, 2015 at 12:38 pm #5875
RFC7009 is a supplement of RFC6749. Below is an extract from the same for your refrence:
The OAuth 2.0 core specification [RFC6749] defines several ways for a
client to obtain refresh and access tokens. This specification
supplements the core specification with a mechanism to revoke both
types of tokens.
So, this RFC talks about token revocation. Does OpenAM support this RFC?
SyedOctober 15, 2015 at 6:51 am #5838
I am developing API based on RFC7009(http://tools.ietf.org/html/rfc7009#section-2.1).
As per this RFC:
If the particular token is a refresh token and the authorization server supports the
revocation of access tokens, then the authorization server SHOULD
also invalidate all access tokens based on the same authorization grant.
Version of OpenAM:
1. If refresh token is passed then only the refresh token is revoked/deleted. If I get multiple access tokens using this refresh token, all the access tokens are still valid.
2. Also it is mentioned in the RFC that Client Credentials are mandatory for revoking a token which I don’t see that it is considered in the API.
OpenAM APIs used:
1. /frrest/oauth2/token/<token-id>?_action=revoke (POST request)
2. /frrest/oauth2/token/<token-id> (DELETE request)
ThanksOctober 13, 2015 at 6:29 am #5794
Hi Sripathy, I am looking at a use case where user has granted access to an app in multiple devices that he is using(like mobile, tablet etc) and now he wants to revoke access from one of the device and is trying to uninstall the app. So in this case only the access/refresh token from that device should be revoked and other tokens which are being used by other devices should still valid.