12 Replies Latest reply on May 31, 2017 8:29 AM by ryanrutan

    OAuth2 authorization process always ask for grant permissions

    flabastia

      I implemented login process on my site using Jive Oauth service. I have an Add-on on Jive that give me the clientId and clientSecret. The first time a user try to login on my site using Jive, it works as expected:

      - If user is not connected on Jive, a credentials screen will be prompted;

      - After that Jive will ask to user grant permissions;

      - User is redirected back to my site.

       

      This is fine! The problem is that the next times same user do login with Jive, it still asking for grant permission. On "Apps management" section in Jive, I can see that it creates a new access token every time user logs in.

       

      The response_type used in the authorization request is "code".

        • Re: OAuth2 authorization process always ask for grant permissions

          question...where are you storing the Access Token once you receive it?  You should use that token whenever possible, and then if the service responds with a 403 or something similar than you use the refreshToken protocol.

           

          It sounds like the code may not be switching states based on the data that you have and/or the values you are passing in are not correct.  Any more details you can share?

            • Re: OAuth2 authorization process always ask for grant permissions
              flabastia

              The Access Token is stored in DB. Once user authenticates in our system with Jive, we use the Access Token to make requests on Jive API. The problem is, when user back to our site, logged off and try to login again by the Jive login option, it will generate a new Access Token.

               

              We don't know wich Access token stored in DB to pick before user authenticates, makes sense?

              • Re: Re: OAuth2 authorization process always ask for grant permissions
                flabastia

                The core issue is when a user is authenticated using Jive credentials with an external application, a returning user can be given a new Access Token is created for the same application, even if user has previously logged in throught Jive API.


                The Jive's REST endpoint we are using now is: https://sandbox.jiveon.com/oauth2/authorize?client_id=XXXXX&response_type=code&redirect_uri=XXXX&state=XXXX

                 

                Scenario: New User to External Application (Expected Behavior)

                When a new user try to login in an external application we use Jive API to authenticate the user, gets his Jive profile data and create the user on the external application. This behaves as expected.

                 

                Scenario: Returning User to External Application (Expected Behavior)

                This is the desired flow when user return to external application:

                Jive-authorization-process-success.png

                 

                Scenario: Returning User to External Application (Actual Behavior - Jive always ask for user grant permission AND creates new access token).

                This causes our external application to force a re-authentication through Jive.

                Jive-authorization-process-failure.png

                1 person found this helpful
                  • Re: Re: OAuth2 authorization process always ask for grant permissions

                    I think you are making the wrong assumption about the : https://sandbox.jiveon.com/oauth2/authorize call. This is meant to get a new code for generating an access token, not to get a new access token.

                     

                    Still don't think you can do what you are trying to do with the current auth flow in Jive

                      • Re: OAuth2 authorization process always ask for grant permissions
                        yared

                        (replying on behalf of Felipe)

                        In this scenario Our app is trying to use Jive as OAuth server so that user's will be able to Login to our application using their Jive account. We used the below steps as explained in OAuth 2.0.and the implementation works fine.

                        The Question we have is in step 5 below, is it possible to by pass the authorization screen to allow or deny if a user has  already allowed access before?

                         

                         

                        Obtaining an Access Token using Authorization Code Grant

                         

                        The implementation is as per the specification. Once an add-on has been installed from the registry (or during development uploaded to a Jive instance from the Add-ons menu), in general

                        1. the user logs in to the client's web application in a browser.
                        2. Client redirects the user the Jive's authorization end-point typically in a new smaller browser window, which is <jive-url>/oauth2/authorize
                        3. Client includes the required parameters client_id=<client_id>&response_type=code and any optional parameters, scope, state or redirect_uri.
                        4. If the browser doesn't have a logged in session for Jive, Jive asks the user to login first.
                        5. Jive presents an authorization screen asking the user to allow or deny the authorization grant (scope is not shown to user at this time).
                        6. Assuming user allows authorization, Jive will redirect to user back to the redirect_uri (if it was sent to the authorization end-point) or to the redirect_uri provided in the add-on.
                        7. A short lived authorization code is attached as a query parameter to the redirect URL along with state parameter if it was provided earlier, eg: https://client.application.com/oauth2/redirect?code=<authz_code>
                        8. Client makes a POST request to the token end-point authorizing the request using client credentials. In curl this would be
                          curl -u 'mqi3a01xvyubsp585hdeqtry8vqbi5j1.i:e692pxphtzyq2nn75htldedoqzog2atk.s' -d 'code=ee3q0hlz6jr8oqwt0qojo4x79mnwuk1q.c&grant_type=authorization_code&client_id=mqi3a01xvyubsp585hdeqtry8vqbi5j1.i' <jive-url>/oauth2/token
                        9. Jive responds with eg. {"scope":"uri:/api","token_type":"bearer","expires_in":"172799","refresh_token":"6i85jzwkwpjfkllhrdtqzlownvr55lh0b2k39mwu.r","access_token":"9dqwqywtar14ikpljs4s53bu7qat9qi8agltxttm.t"}

                         

                        Thanks

                          • Re: OAuth2 authorization process always ask for grant permissions

                            Again, it looks like your application is not gating the experience.  If you send a link to authorize OAuth to that service, you will get a new access token.  Your application needs to know that a token has already been collected and not initiate that flow when it already has a token.  You can use ExtPros / PrivateProps on the User to flag the user as already having a token once you obtain and store it.

                             

                            Hope that helps.

                              • Re: OAuth2 authorization process always ask for grant permissions
                                flabastia

                                Ryan,

                                 

                                I understand your point. The thing is that our application can't know if a token has already been collected for a non-logged user that are trying to login by using his Jive credentials. We can only know the user identity after Jive authenticate him and send this information back to us, and every time this happens Jive will show the authorization grant screen.

                                  • Re: OAuth2 authorization process always ask for grant permissions

                                    As mentioned before, it seems that you are trying to use Jive as a login provider, similar to a "Login via Facebook, Google, Yammer".

                                     

                                    This type of scenario is not something that Jive supports currently, afaik.

                                      • Re: Re: OAuth2 authorization process always ask for grant permissions
                                        d.negrier

                                        Hey Nils,

                                         

                                        Sorry to revive this thread but I have the exact same problem as @flabastia.

                                         

                                        It took me a while to understand what is going on, but reading Ryan comments, I think I get it. What you are saying is that your implementation of the Authorization Code Grant is meant to be used ONLY when someone has an account in another application and want to link it to Jive. In that case, the OAuth2 process can be performed only once and the generated token can be regularly refreshed if it comes to expire.

                                         

                                        The thing is that all the other servers implementating the Authorization Code Grant I've come to work with also allow to use the server as a "login provider". And it is kind of upsetting to spend several days working on integrating Jive as a login provider to finally find out that Jive's "Authorization Code Grant" implementation does not fully support it.

                                         

                                        Is there any plan to add this possibility any time in the future? This would be very valuable for us as this is a nice way to extend a Jive application with a custom web-app and to seamlessly stay logged in the process.

                                         

                                        If there is no plan to add this in the future, I would strongly recommend that you change your documentation here (OAuth 2.0 ) and add a paragraph explaining that "Authorization Code Grant" cannot completely be used as a login provider (because this is something most people will assume).

                                         

                                        Thanks in advance for your answer!

                                        1 person found this helpful
                            • Re: OAuth2 authorization process always ask for grant permissions
                              tirapareddy.tondapu@eidiko.com

                              Hi Ryan,

                               

                              I have a question related to Jive OAuth2.0, i.e does jive OAuth2.0 support global authorization means I've uploaded an Add-on on my jive instance say "my.jiveon.com", so any user from "my.jiveon.com" is able to generate access token from my OAuth client but the this is whey any user from other jive instance(say "other.jiveon.com") tries to generate a code it's giving them invalid_client_id please contact your admin.

                               

                              Does it support global authorization or not?

                               

                              Thanks & Regards,

                              Tirapa Reddy Tondapu