This topic has 11 replies, 5 voices, and was last updated 1 year, 11 months ago by sireeshanp.
-
AuthorPosts
-
July 10, 2020 at 3:04 am #28052
ray.deng83
ParticipantIn the OAuth Auth Code flow, is it possible to pass a parameter in the body and return that value in the Access Token when exchanging the Code for the Token?
For example, the code is fetched and then the following POST body will be used to fetch the Access Token.
{
“grant_type” : “authorization_code”,
“client_id” : “myClient”,
“client_secret” : “mySecret”,
“code” : “g5B3qZ8rWzKIU2xodV_kkSIk0F4”,
“userId” : “user123”
}In this POST body, an extra (userID) key/value is passed. Is it possible to return that key/value in the Access Token?
I’m thinking modifying the ‘OAuth2 Access Token Modification’ script, but couldn’t find a way to retrieve the POST body. Any suggestion is appreciated. Thanks.
Best,
LeJuly 10, 2020 at 9:22 am #28053Andrew Potter
ParticipantAM supports the Claims Request Parameter described in the OIDC spec. Maybe that will work for you?
AM docs: https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/index.html#global-oauth-oidc-advanced-openid-connect
OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameterJuly 10, 2020 at 2:12 pm #28054ray.deng83
ParticipantThanks for the reply Andrew. There will be no id_token returned, only access token returned in our use case. So I guess we can’t use Claim Parameter in this case.
July 10, 2020 at 5:01 pm #28055Jatinder Singh
ParticipantHowdy!
What you are attempting to do is quite similar to how NONCE in OIDC works where it can be sent along in the
/authorize
request and have AS return it as part ofID_TOKEN
. In OIDC flow, it helps mitigate replay attacks and allows clients to validate ID Tokens. The way that implementation works is – theNONCE
parameter is persisted along with authorization code in the CTS. That is the only way AS can retrieve and inject that value back in the OIDC token.In your case it is the OAuth2 flow as opposed to OIDC – you will have to follow the same design and persist your
userId
when creating authorization code. Please take a look atDefaultOAuth2TokenStoreImpl.class
.Hope this helps!
July 10, 2020 at 11:38 pm #28059ray.deng83
ParticipantHi Jatinder,
Thanks for the information. We are using AM 6.5.2.1. Do we need to sign a consent to get the source code?
Best,
LeJuly 13, 2020 at 1:33 am #28061ray.deng83
ParticipantI’m wondering whether it is possible to retrieve the parameter directly from the request. If that’s possible, it would make things much easier.
July 13, 2020 at 4:10 am #28062Scott Heger
ParticipantI would look into using a custom scope validator class. I did something similar where I passed a custom scope in my request and my custom scope validator processed it and did whatever I wanted with it. In your case you could pass a custom scope that was something like
userId:user123
and have your scope validator process it. See: https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#sec-oauth2-scopes.July 13, 2020 at 2:05 pm #28063ray.deng83
ParticipantHi Scott,
That could be a doable workaround. Let me check on that. Thanks for the suggestion!
Best,
LeJuly 13, 2020 at 4:29 pm #28067Jatinder Singh
ParticipantI was under the impression you plan to send your
userId
in the/authorize
request and want AS send it back in the token JWT as part of code exchange. Persisting data in CTS is the only way around that problem. If that is not the case and you are instead sending data part of token request, Scott’s answer is spot on and you can utilizeadditionalDataToReturnFromTokenEndpoint
where you have access toOAuth2Request
which encapsulates the originalHttpRequest
object.July 20, 2020 at 11:55 pm #28088sireeshanp
ParticipantHi Scott
I have a similar requirement where I need to pass a userid attribute as a custom scope while generating the access token per user and get that userid back at the time of validation. Do you have any sample code how to do this?
thanks
SireeshaJuly 21, 2020 at 3:29 am #28089Scott Heger
ParticipantHi @sireeshanp,
You won’t need custom code for that. Just add your userid attribute to the Scope(s) configuration field of your client profile (assuming you have also added it to your Identity Store’s LDAP User Attributes list if it is not already there). See https://backstage.forgerock.com/docs/am/6.5/oauth2-guide/#configure-oauth2-client for details on Scope(s) and Default Scope(s).
Hopefully that answers your question.
Regards,
ScottJuly 21, 2020 at 4:26 am #28090sireeshanp
Participanthi Scott, I tried using resource owner password grant type passing cn or email as scopes (curl below), I am getting access token with scopes as sting cn and email instead of actual user attributes. However I am able to get the user attribute in user_id in the response, this partially serves what I am looking for.
curl -X POST \
http://xxxxxxxxxx.iam.com/am/oauth2/realms/root/realms/customers/access_token \
-u “myClientID:password”
-H ‘Content-Type: application/x-www-form-urlencoded’ \
-d ‘grant_type=password&username=testRegistration4%40gmail.com&password=********&scope=cn’However the challenge I have is I want to use a grant type where I dont need to pass user password, but still be able to generate an access token embedded with an user attribute (email/any other unique attribute)
Which grant type supports this? If I run the introspect curl below, I want to see the user attribute in the responsecurl -X POST \
http://xxxxx.iam.com/am/oauth2/realms/root/realms/customers/introspect \
-H ‘Content-Type: application/x-www-form-urlencoded’ \
-d ‘client_id=abcdxyz&client_secret=********&token=y51W-biyLmYhtrhpxZe4lcTAtr8’ -
AuthorPosts
You must be logged in to reply to this topic.