Add Parameters query to url redirect in Implicit Flow authorization process

Asked

Viewed 60 times

0

During the process of authorising an application via Implicit Flow in Jasmin it is possible to pass some extra information in the request so that it is included in the redirect uri when this is called?

I’ve tested with query parameters on its own redirect uri but Jasmin misses the message invalid redirect uri which leads me to assume that Jasmin makes a direct comparison between the address passed by us and what is configured in Nitrogen.

What is intended with this process is to add some context to the process to make it easier to map when redirect is executed.

api oauth2

1 answer

0


Implicit authentication flow serves to be used in client applications that typically cannot safely maintain the Client Secret because the code is all customer-friendly.

This flow accepts as parameters:

  • client_id Identifier provided by the nitrogen
  • redirect_uri Address to where the application should be redeployed. Provided by nitrogem
  • Scope Scope defined for the application "Internal"

As to your problem. You cannot pass a redirect_uri other than what you specified in the application log in Nitrogen, because the identity server will validate if what you passed in the request is the same as the one associated with your application. Security issue.

  • In this case it makes no sense to use Implicit Flow so I can only use Client Credentials since there are no more options. The problem in this case is that it requires a relatively large amount of manual steps such as associating the application to the subscription, copying the id and id Subscription, and making sure everything checks out. There is no simpler alternative to authorize external applications to access my Jasmin subscription?

  • Not knowing what you want to do nor the type of application should take into account that this flow exposes the secrets to users. is a flow typically used in Machine-Machine scenarios.

  • What I want is relatively trivial: I have a service that I make available to Jasmin customers for process automation. For this I intend to use the Jasmin web API to read some information. To have access to this information you need to authorize my service to access your subscription. Nor Implicit Flow nor Client Credentials make sense of what you’ve described for what’s left Application Grant which is not available. There is also the problem of knowing which are the subscription id and account id for the Web API that are not available at any time of the process.

  • In parts, if you have a web app the flow is the Implicit flow. I don’t understand how to pass more on the application. The goal is to be allowed to then do the applications to the application. A subscription id and account id should be configured in the app.

Browser other questions tagged api oauth2

You are not signed in. Login or sign up in order to post.