Forum Replies Created

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #11996
     suhaibmustafa
    Participant

    Hi,

    Base URL provider also didn’t work as I had mentioned in the problem statement. I fixed it by having a proxy in http connector of the apache tomcat server.

    #9425
     suhaibmustafa
    Participant

    Hi Yogesh, for revoking use DELETE method and amadmin token instead of POST and clientid/secret.

    #9423
     suhaibmustafa
    Participant

    Hi Rajesh, Thanks for the quick reply. The issue I described is slightly different from it. The issue I am facing is that the OAuth2.0 authorization consent page is trying to load a unsecure content(JS, img) over a secure connection. Hence the browser shows a blank page with a notification to user on the top right corner which says:

    This page is trying to load scripts form unauthenticated source.
    Load unsafe scripts.

    When we click on “load unsafe scripts” the consent page comes up and the flow works fine from there. My concern here is how/where/what to configure in OpenAM so that it loads all the contents of the html(here consent form) based on the protocol user requested(in this case HTTPS).

    #5959
     suhaibmustafa
    Participant

    Hi Peter/Mike

    Another issue(not sure if it is actually an issue):
    Step 1. Acquiring the Access token:
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW (Generated using client username and client password)
    grant_type=password&username=client_username&password=client_password

    OpenAm returned a successful response with Access token and refresh token.
    Note: Here Authorization header contains the credentials of OAuth2.0 client and in body username and password is also of another OAuth2.0 client(Not sure of the actual use case where this can be used).

    Step 2. Trying to delete this token using:
    /frrest/oauth2/token/<token-id> (DELETE request)
    This returns “Access Denied”.

    So in my opinion either Step 1 should(if client credentials cannot be used in body) fail or Step 2 should pass(User should have ability to revoke any access/refresh token he has granted access to any client). Let me know your thoughts on this.

    Thanks,
    Syed

    #5875
     suhaibmustafa
    Participant

    Hi Mike,

    RFC7009 is a supplement of RFC6749. Below is an extract from the same for your refrence:
    The OAuth 2.0 core specification [RFC6749] defines several ways for a
    client to obtain refresh and access tokens. This specification
    supplements the core specification with a mechanism to revoke both
    types of tokens.

    So, this RFC talks about token revocation. Does OpenAM support this RFC?

    Thanks,
    Syed

    #5838
     suhaibmustafa
    Participant

    Hi Mike,

    I am developing API based on RFC7009(http://tools.ietf.org/html/rfc7009#section-2.1).
    As per this RFC:
    If the particular token is a refresh token and the authorization server supports the
    revocation of access tokens, then the authorization server SHOULD
    also invalidate all access tokens based on the same authorization grant.

    Version of OpenAM:
    OpenAM 12.0.0

    Problem:
    1. If refresh token is passed then only the refresh token is revoked/deleted. If I get multiple access tokens using this refresh token, all the access tokens are still valid.
    2. Also it is mentioned in the RFC that Client Credentials are mandatory for revoking a token which I don’t see that it is considered in the API.

    OpenAM APIs used:
    1. /frrest/oauth2/token/<token-id>?_action=revoke (POST request)
    2. /frrest/oauth2/token/<token-id> (DELETE request)

    Thanks

    #5794
     suhaibmustafa
    Participant

    Hi Sripathy, I am looking at a use case where user has granted access to an app in multiple devices that he is using(like mobile, tablet etc) and now he wants to revoke access from one of the device and is trying to uninstall the app. So in this case only the access/refresh token from that device should be revoked and other tokens which are being used by other devices should still valid.

Viewing 7 posts - 1 through 7 (of 7 total)