Log Auth event from HttpServletRequest - servlets

I want to log details of auth event through HttpServletRequest.
For eg :INFO 2020-01-01 12:00:01 user.id="John Doe" evt.category="authentication" evt.name="google auth" evt.outcome="fail" network.client.ip=1.2.3.4 pingfed.cause="access_denied".
Could you please help me with parameters I can use to get these details from the request? Thanks

Related

Missing "emailAddress" in response for some users

My app is using linkedin as oauthd login method. For some of users there is no valid response when I'm trying to fetch email address (https://learn.microsoft.com/en-us/linkedin/shared/references/fields/basic-profile#email-fields)
Request:
GET https://api.linkedin.com/v2/emailAddress?q=members&projection=(elements*(handle~))
Response:
200 {"elements":[]}
^^^ missing email field
200 {"elements":[{"handle":"urn:li:emailAddress:472511033","handle!":{"message":"Downstream service returned an empty response for URN.","status":404}}]}
OK, but failed?
Normal response looks like this:
200 {"elements":[{"handle~":{"emailAddress":"XXX#XXX"},"handle":"urn:li:emailAddress:XXX"}]}
Is there any settings in linkedin profile that blocks requesting emailAddress?
I found in documentation that this is related to new users that was registered using phone.
The API call would return empty response body if the authenticated user was registered via phone number, and never added any primary email address into their LinkedIn account previously. The value of type is case sensitive, and can only be EMAIL in this case.
https://learn.microsoft.com/en-us/linkedin/shared/integrations/people/primary-contact-api#retrieve-email-address

ADFS 4.0 (2016) OpenID Connect userinfo endpoint returns 401 when provided with access token

Any ideas why this is. I have configured a Server Application and a Web API and an ID Token, Access Token & Refresh token is issued. However calling the userinfo endpoint return a 401 with the following header message:
WWW-Authenticate →Bearer error="invalid_token", error_description="MSIS9920: Received invalid UserInfo request. The access token in request is not valid."
The access token is valid according to http://jwt.io
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVVbEw5a1JocDJNLUVzTDlBRDJOQ055aHZtdyJ9.eyJhdWQiOiJ1cm46bWljcm9zb2Z0OnVzZXJpbmZvIiwiaXNzIjoiaHR0cDovL3Rlc3Rsb2dpbi51bm9wcy5vcmcvYWRmcy9zZXJ2aWNlcy90cnVzdCIsImlhdCI6MTQ4NjYyOTUxOSwiZXhwIjoxNDg2NjMzMTE5LCJhcHB0eXBlIjoiQ29uZmlkZW50aWFsIiwiYXBwaWQiOiJrbnVkIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwiYXV0aF90aW1lIjoiMjAxNy0wMi0wOVQwODozMjo1Ny4xNDZaIiwidmVyIjoiMS4wIiwic2NwIjoib3BlbmlkIiwic3ViIjoiM2krUGlyRncwSVlkdDVzTVNKQlpKbjVOTXZVWXZVdyt2WHI2Ujd1N0dBZz0ifQ.ajKtSk0xQE1crJkIA-lMLBZj2DtYE6xQo-Stmevh4pOGX17GEePbAFP-g6qPUwtGT_whVj74wRpSlyTBscp2JDsp_CW2E6BsTUI810S6jYRVjkYGxL1QcL1KoKJ8wyYKcxsCeOY2IUKNPnJOxV53Rs8E9EvJgjcsjTJHQw5Z_zC43dsTfCZvVfGrwJ3nn6BGxhIE_bEXvrWdgmg49V7-KK2kVDbDwJGr1iLpqU88-bkHdjGCIuc8XKX5pobWWlcyBmR_dpACM6Tu-d8jYJ_8mbof-eZrqn8YS61rgvRAhAAONyDklWcPgiYnhcMQVHZoCME-rVTjI6LDDY2czhL0rg
This question is asked long time ago but let me share my experience.
if you want to execute ADFS 4.0 userInfo endpoint(win server 2016) in a hope to get User profile but what i experienced is it return only Sub attribute
ex:
{
"sub": "MpR57wSIQz1kiR2uUMrkCQadbgDoztWmMV863Dugdso="
}
for anyone to try UserInfo endpoint you need to modify your application group, add api with Identitfier https://adfs.example.com/adfs/userinfo & at Client permission tab tick openId.
for execution of userinfo
Ex:
curl -X GET \
https://adfs.example.com/adfs/userinfo \
-H 'Authorization: Bearer ACCESS_TOKEN
Note: In your Acquire Accesstoken code you need to pass your resource = urn:microsoft:userinfo
The ADFS userinfo endpoint always returns the subject claim as
specified in the OpenID standards. AD FS does not provide additional
claims requested via the UserInfo endpoint. If you need additional
claims in ID token, refer to Custom ID Tokens in AD FS.
I've only done this once so I don't have much suggestions to make yet. So I cant make any suggested unless there is more detail.
You should try and get more evidence from the AD FS side. Enable debug logs using
wevtutil sl "ad fs tracing/debug" /l:5 /e:true
Do the repro and then disable logs as follows.
wevtutil sl "ad fs tracing/debug" /e:false
Then export the logs to view using
wevtutil epl "ad fs tracing/debug" c:\temp\userinfoerr.evtx
Open that event log in event viewer and have look and see what other errors are reported around validating the JWT.

Laravel Passport - Grant Type Not Supported

I have installed Laravel Passport per the documentation and I have modified all areas of my code that is required.
I am working on setting up Password Grant Tokens so that users will be able to get an API token when logging in with their username and password for the site. I am hitting an issue though when it comes to the grant_type.
For some reason Laravel is complaining about an invalid grant type.
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
These are the fields that I am posting to /oauth/token
client_id = 4
client_secret = SMiYE7XqDNtXKQnmkYmFnXxfAaV83vRhnJ9zwCtZ
username = jcrawford#domain.com
password = **************
grant_type = password
scope = *
I have run php artisan passport:install and I have also tried running php artisan passport:client --password
Both commands worked and both created the client and secrets, however, I cannot seem to get past the error about the grant_type.
Any suggestions on what I should look at to get this solved so that Password Grant Tokens will work for me?
It appears that you must send the parameters as form data and not in the headers like I was doing... Rookie Mistake!
I'm using Postman and I have put all parameters in Params. Postman shows the following response
{
"error": "unsupported_grant_type",
"message": "The authorization grant type is not supported by the authorization server.",
"hint": "Check the `grant_type` parameter"
}
Now I put all parameters in Body and then press the Send button, It's working well.
For me the problem was that i wasnt using Request $request, i was using RegisterRequest $request which i had created.
Initial URL
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test?response_type=code
Solution
https://restfulapi.test/oauth/authorize?client_id=3&redirect_url=http://restfulapi.test&response_type=code
I had to replace the question mark before response_type with the &
Reading the Laravel documentation saved me a lot of stress. The oauth\token is used to retrieve token using the grant type specified, the route will return a JSON response containing access_token, refresh_token, and expires_in attributes. The expires_in attribute contains the number of seconds until the access token expires (ref) You are meant to
Install passport
Publish the service providers and migrations and migrate.
Setup a route for login/register to create an account and login.
In your User model, add HasApiTokens from use Laravel\Passport\HasApiTokens;
In your response in your login method, add the token as part of the response.
Test your response on postman

How to know if the oauth access token is expired

Description
In Web Api project template, after sending a POST request to the Token endpoint: www.mycoolwebsite.com/Token, we get a Json similar to this:
{
"access_token":"qkRwQD0A85...",
"token_type":"bearer",
"expires_in":14,
"userName":"admin#mycoolwebsite.com",
".issued":"Wed, 24 Feb 2016 18:15:53 GMT",
".expires":"Wed, 24 Feb 2016 18:16:08 GMT"
}
On the client side, (let say a mobile application) I am saving this json on a file, and to see if the token is expired, I compare DateTime.UtcNow to token's .expires key.
Question
Is this the correct way to see if an access token has expired?
If not, what is the best way check this?
I wouldn't check the access token's expiry time. Rather than build a mechanism to check the expiration time and handle it, why not just send the access token you have to the API and, if you get a 401 back, request a new access token. You'll have to build in logic to handle 401's anyway...why not rely on that instead?

Token Null in paypal expresscheckout

I am working with pay express checkout in asp.net(3.5 or 4.0) with website template.I have added its SOAP API reference from below mentioned URL:
https://www.sandbox.paypal.com/wsdl/PayPalSvc.wsdl. when I call setexpresscheckout method to get token value then it always return null as a token value and send token value in Any variable
which is useless for me.
if anyone can help me to get a token value in token property instead of Any property.Then Plz .......... do it fast

Resources