Reputation: 7736
OAuth2 authentication code for already logged in user
With an OAuth2 implementation (either developed in-house, or a 3rd party like Google, Facebook, Login With Amazon, etc.), is it possible to generate an authentication code on behalf of a user logged into a mobile app or web app without requiring any action from the user?
The typical flow to obtain the authentication code requires the user to authenticate and authorize the requested scope. But in this case, the user is already authenticated into the app, so I want to avoid requiring the user to log in again.
The authentication code is required for invoking an external third-party API that will eventually exchange the authentication code for refresh/access tokens. The backend system (associated with the API) needs to get its own refresh/access token based on the authentication code shared with it. This is not for a one-time use of the token; the system needs to have its own tokens for that logged in user, independent of the mobile client.
Upvotes: 7
Views: 1837
Answers (3)
Reputation: 99495
A user needs to explicitly grant the third party app (your app) access to their account. If the user is logged in, and they've previously granted access to your app (and all the related scopes) then normally there is nothing the user needs to do.
But if they never allowed your app to access their account, this obviously will not work, as it would allow you unrestricted access to any authenticated account.
Upvotes: 0
Reputation: 1
If the authorization servers is able to handle session cookie(kind of sso), you could make a request through a Chrome Custom tab or directly via the web browser to the "/authorize" endpoint and request a new authorization code.
Upvotes: 0
Reputation: 1192
It is possible to get user token for another client. You do not need new authentication code, you just call token endpoind with some params. For example, in Keycloak this flow is called Token Exchange. You need to configure clients in the Keycloak and then you can call token endpoint with access token you have.
{
client_id: your client id,
client_secret: your client secret,
subject_token: token you have
audience: target client id,
grant_type: urn:ietf:params:oauth:grant-type:token-exchange,
requested token type: urn:ietf:params:oauth:token-type:refresh_token
}
You can read about this flow here: https://tools.ietf.org/id/draft-ietf-oauth-token-exchange-12.html
It is also called On-Behalf-Of flow like in Azure: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
Upvotes: 0
Related Questions
- Successive usage of authorization code for OAuth2
- What is the proper Authorization Code OAuth2 flow?
- Oauth2.0 and user registration and sign in
- Oauth2 Authentication handle code programmatically
- OAuth: code grant, and subsequent logins
- OAuth and authentication
- OAuth2 Implementation
- OAuth2 Login (Not Authorization)
- OAuth 2 client access and grant code
- OAuth2 User Credentials Grant Security