Getting the SSO details from a access Token

Tagged: 

This topic has 16 replies, 7 voices, and was last updated 4 years, 3 months ago by someswara.reddy.karem.

  • Author
    Posts
  • #11735
     abhishek.dashin
    Participant

    Hi,

    I have a requirement where my api will be getting a access_token (OAUTH) as a header param and I have get fetch the active session/ssoToken for that user. Is there any way to achieve that via SDK or rest endpoints. The version which i am using is 12.0.0.

    Thanks in Advance!

    #11800
     abhishek.dashin
    Participant

    I know that OpenAM creates a session/sso internally whenever it creates a access_token. It is not persisted to the CTS. I just need a way to exchange my access_token with a ssotoken.

    #11803
     Tejansh
    Participant

    Hi Abhishek,

    I am assuming that you will be getting an OAuth token (from some OAuth provider like Facebook) and you want to ensure that the user is verified and you receive an SSO token for the user, from OpenAM. Basically, authenticating a user in OpenAM against OAuth. Is that correct? Could you please add some more details to the requirement?

    #11811
     abhishek.dashin
    Participant

    Thanks for the reply. Here is what i am doing.

    1) Under the realmn >> Agent >> OAuth2.0/Openid connect client i have configured a agent named Agent1.

    2) This is an OAuth2 client that uses access token issued by openam.

    3) We have an api which uses the openam rest endpoint to get the access token
    http://openam.example.com:8080/openam/oauth2/access_token
    The grant type is password and we are also passing the client_id in the Authorization header param.

    4) Now once we have got this token at some point we want to get an sso from that access token.
    The reason for doing it is all our authorization is based on openam policies and to invoke and run the
    policy engine we need to pass sso. Here I am stuck as i dont know how to get the sso in exchange of this access token.

    #18145
     vteladev
    Participant

    Hi Abhishek,

    Were you able to figure out how you could obtain a SSOToken in exchange of a access_token?

    Please share the details if you were able to figure this out.

    Thanks in advance!!

    #18155
     abhishek.dashin
    Participant

    Hi,

    I was able to achieve it using a custom authentication module.

    This custom authentication module was serving the purpose of validating the access token. If the token is valid then the authentication succeeds then the Openam automatically return the token as a response.

    Let me know if this helps. Cheers!

    #18171
     Peter Major
    Moderator

    OAuth2 is an *authorization* protocol, not authentication.
    OAuth2 access_tokens do not have to be tied to active sessions, because the token lifetime tends to be a lot greater than the session lifetime.
    Consider using OpenID Connect instead.

    #18207
     Bhanuprakash
    Participant

    @peter-major @tejansh we are using facebook java SDK to get the access_token(facebook) and facebook user profile.(native mobile client)

    so can we exchange the facebook access_token with OpenAM(13.0) SSOToken? (via OpenAM Java or REST API)
    if possible please provide your suggestions on how to achieve.

    Thanks,
    Bhanuprakash

    #18208
     Peter Major
    Moderator

    Have you looked at the social authentication feature introduced in OpenAM 13.0.0?

    #18219
     Bhanuprakash
    Participant

    @peter-major yes we implemented Facebook social authentication in OpenAM(13) and it is successful from browser.

    but in case mobile device we are having facebook java SDK to get the user access_token from FB and we would like to exchange with OpenAM(13.0) to get the ssotoken for the user. is it possible to exchange ?

    or

    how can we implement facebook authentication from mobile native app (no browser) . please provide your suggestions.

    Thanks,
    Bhanuprakash M

    #18236
     Peter Major
    Moderator

    You could write a custom authentication module that takes the oauth2 access token and then validates it with Facebook then.

    #18281
     Bhanuprakash
    Participant

    thanks @peter-major for your time.

    here is my requirement.

    1)Need to validate the access_token with Facebook.
    2)reading the user profile from Facebook using the access_token
    3)checking the user existence in OpenAM based on fb user profile

    if user exist in OpenAM then generating OpenAM ssotoken for the user.
    or

    if user does exist in OpenAM then create the user in OpenIDM using REST API(implicit livesync) and then generate OpenAM ssotoken for him.

    so is it possible to accomplish above steps in one custom auth module in OpenAM? or should split the task to some code blocks.
    please suggest best/easier way to accomplish this usecase.

    Note: we are having OpenIG infront of OpenAM servers and openIDM servers.

    Thanks,
    Bhanuprakash M

    #18286
     Peter Major
    Moderator

    You could write it as one authentication module, yes, but probably you should write it so that you can share code across your module and the OOTB available OAuth2 authentication module (in case you have to support browsers for authentication).

    #18290
     Bhanuprakash
    Participant

    Thank you so much @peter-major

    i’ll try to create a custom auth module and i’ll reach out to you if i see any problem.

    can i take any OOTB auth module source code as base for this new custom auth module ? if yes which one is closer to this.

    please provide me any reference if possible.

    Once again Thanks for your Support.

    Bhanuprakash.

    #21300
     muunen
    Participant

    Hi,

    We also need to get SSO token from an OAuth2 access token.

    Currently we do cache the relation between access_token and SSOToken for the OAuth2 authorization code flow in memory in the CustomScopeValidator, but we would like to have OpenAM high available and thus we need a more sophisticated way to resolve this link. We need the SSOToken in the CustomScopeValidator because we have put additional properties on the OpenAM session.

    Is there any way to query for example all sessions and map this to SSO Token?

    @abhishek.dashin How exactly did you achieved this?

    Regards,
    Michel

Viewing 15 posts - 1 through 15 (of 17 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?