OAuth2 authentication code for already logged in user

Asked 20/2, 2020 at 6:53 Answered 3/10, 2023 at 5:39

With an OAuth2 implementation (either developed in-house, or a 3rd party like Google, Facebook, Login With Amazon, etc.), is it possible to generate an authentication code on behalf of a user logged into a mobile app or web app without requiring any action from the user?

The typical flow to obtain the authentication code requires the user to authenticate and authorize the requested scope. But in this case, the user is already authenticated into the app, so I want to avoid requiring the user to log in again.

The authentication code is required for invoking an external third-party API that will eventually exchange the authentication code for refresh/access tokens. The backend system (associated with the API) needs to get its own refresh/access token based on the authentication code shared with it. This is not for a one-time use of the token; the system needs to have its own tokens for that logged in user, independent of the mobile client.

Ibo answered 20/2, 2020 at 6:53 Comment(5)

I'm doing some work with Alexa; I have a signed in user, and when they want to link their account, need to provide an Authorization Code for that user to the Alexa API. See: The security provider that you use must ... provide a server-side API to get the authorization code for the user who is currently logged in to your app. (Step 6 -> How to do it) – Photic 29/5, 2020 at 15:52

@DaveSalomon That's step 5, and basically the essence of my question. I don't see any documentation with auth providers like Google, Facebook, Login with Amazon, etc. that facilitates a server-side API to get the auth code using a customer identifier as a parameter. Only if the customer is prompted to log in through a web-based interface, the auth server will provide the auth code. – Ibo 9/6, 2020 at 19:10

Hi @WebUser, did you find a solution for this ? I have exactly the same problem. I tried loading the authorization dialog within an iframe or with javascript, but without success. – Eugeneeugenia 28/6, 2021 at 15:8

Hi, @jreid I have the same problem with the Alexa account linking process. Could you share your solution, please? – Certified 7/7, 2021 at 14:55

@jreid I didn't find a solution for this yet. – Ibo 7/7, 2021 at 16:3

It is possible to get user token for another client. You do not need new authentication code, you just call token endpoind with some params. For example, in Keycloak this flow is called Token Exchange. You need to configure clients in the Keycloak and then you can call token endpoint with access token you have.

{
  client_id: your client id,
  client_secret: your client secret, 
  subject_token: token you have
  audience: target client id, 
  grant_type: urn:ietf:params:oauth:grant-type:token-exchange, 
  requested token type: urn:ietf:params:oauth:token-type:refresh_token
}

You can read about this flow here: https://tools.ietf.org/id/draft-ietf-oauth-token-exchange-12.html

It is also called On-Behalf-Of flow like in Azure: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow

Novick answered 20/2, 2020 at 9:28 Comment(5)

Actually, in this case, I specifically need an authorization code to be generated, associated with the same auth server for the logged in user. I am not trying to get user tokens for another client. – Ibo 20/2, 2020 at 22:32

Now I don't understand what you actually need. You have access token, id token and refresh token, but you want new authorization code to get new ones? – Novick 21/2, 2020 at 9:37

Yes that's right, the authorization code is needed to give to a third party API so it can be used by their system to obtain tokens for the user. – Ibo 21/2, 2020 at 14:34

So why don't you give it the tokens you have? If you want new tokens you can get them with refresh token. – Novick 21/2, 2020 at 14:42

Because the system (associated with the 3rd party API) needs to get its own refresh/access token based on the authentication code shared with it. This is not for a one-time use of the token; that system needs to have its own tokens for that logged in user, independent of the mobile client. – Ibo 21/2, 2020 at 16:47

If the authorization servers is able to handle session cookie(kind of sso), you could make a request through a Chrome Custom tab or directly via the web browser to the "/authorize" endpoint and request a new authorization code.

Moslem answered 2/10, 2023 at 20:58 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Lipid 9/10, 2023 at 9:14

A user needs to explicitly grant the third party app (your app) access to their account. If the user is logged in, and they've previously granted access to your app (and all the related scopes) then normally there is nothing the user needs to do.

But if they never allowed your app to access their account, this obviously will not work, as it would allow you unrestricted access to any authenticated account.

Ki answered 3/10, 2023 at 5:39 Comment(0)

Recommended topics

Hot tags