Get token for registered application in Azure AD from application outside AAD


Is it possible for a application on a local server (not in Azure meaning it has no ClientID/AppId) without possibility to consent (Client Credentials flow has to be used) to gain an access token for a API in Azure?

I have a the following,

  • An app service (API)
    • For this app service I’ve activated App service authentication with Azure AD and token store
    • This API is registered in app registrations for the tenant.
    • I’ve created an app-role in the manifest of the API.
{         "allowedMemberTypes": [             "Application"         ],         "description": "Allow the application to use the API.",         "displayName": "Full access to API",         "id": "some guid - which has a value just not showing it",         "isEnabled": true,         "lang": null,         "origin": "Application",         "value": "WebAPI.Use.All" } 
  • An Application which is not part of the tenant and is hosted on a local server. This application have no GUI or possibility to consent.

What i want

  • Be able to from the application on the local server to get an access token for the API i Azure.

I have tested the following

  • Created a new app (dummyApp) and registered it in app registrations for the tenant.
    • For this dummyApp registration I’ve went to “API permissions”->”Add a permisison”->added application permission (app-role defined in manifest for the API).
    • Granted admin consent to dummyApp for the application permission above.
    • Using postman i can get a token successfully using OAuth2 with parameters
      • ClientId: dummyAppID
      • Scope: ApiID/.default


The local application don’t have an ClientId/AppId since it is not registered in Azure. I could create/register a dummyApp like i did above and require a token for that dummyApp from the local application. That would work but does not seem like the right thing to do since the token is then not made for the application that uses it.

From the documentation Microsoft docs i can see that the ClientId is required in the token request meaning since i don’t have one for the local application it should not be possible. I’m wondering if i’m missing something here or if it is truly not possible?

Как подключиться к группе вк по token?

Пытаюсь подключиться к группе вк вот так:

import vk_api from vk_api.bot_longpoll import VkBotLongPoll, VkBotEventType  session = vk_api.VkApi(token = 'da1a7d724884c8da') vk = session.get_api() bot_longpoll = VkBotLongPoll(session, '185') 

Но выдает вот такую ошибку

Traceback (most recent call last):   File "/111111111/", line 6, in <module>     bot_longpoll = VkBotLongPoll(session, '182442355')   File "\Python\lib\site-packages\vk_api\", line 207, in __init__     self.update_longpoll_server()   File "\Python\lib\site-packages\vk_api\", line 220, in update_longpoll_server     response = self.vk.method('groups.getLongPollServer', values)   File "\Python\lib\site-packages\vk_api\", line 636, in method     raise error vk_api.exceptions.ApiError: [15] Access denied: no access to call this method 

В чем проблема? До этого получалось от страницы подключаться, но недавно и со страницей стало происходить такое, хотя в коде подключения от страницы ни строчки не сменил.

Handling refresh token recovation

I’ve been implementing an authentication flow for an app that I’ve been making that uses JWTs. When a user is initially logged in or when they register (which immediately logs them in), I provide an access token and a refresh token. Access token expires every t hours but the refresh token never expires. I want to revoke the tokens when the user logs out.

One approach I’ve heard is that you can store a list of revoked tokens in a database and set a TTL on the document so that the database doesn’t consume too much space.

I’ve also thought about storing a list of active tokens in a database which is sort of the inverse of this but I’ve heard people say that this is a bad idea but it seems to me that it is the same as storing revoked tokens.

Why would you choose to store blacklisted tokens over storing active tokens? Both require a database search. Both remove the statelessness of JWTs.

Is a refresh token an entity or value object?

I have a User entity, which may have a RefreshToken (for authentication).


  • A refresh token doesn’t have “identity”, but is related to a single user – it is only valid for that user. In the db that means a foreign key to users table. In Entity Framework I can however model it as an “owned” type so that it’s part of the users table.
  • A refresh token can be revoked, i.e. deleted from the database
  • A refresh token can be renewed – at the domain level that means replacing the old with a new one, but at the db level that means simply updating the existing record (unless it’s an “owned” type in which case I’ll update the user record)

So, is the RefreshToken an entity or a value object?

no puedo ingresar a un a vista por error de token laravel 5.1

help ! no puedo ingresar a mi vista de reset para contraseñas estoy usan laravel 5.1 y el error q me sale es este

ErrorException in 799914cb6bd05b74dd298cd45e169be3 line 19: Undefined variable: token (View: C:\xampp\htdocs\laravel-imsur\resources\views\auth\reset.blade.php)

y mi reset. blade.php es este soy nuevo en lo que consierne laravel y ps no se que hacer

@extends(‘app’) @section(‘content’)

    <div class="contact-content">         <div class="top-header span_top">             <div class="logo">                 <a href="index.html"><img src="images/logo.png" alt="" /></a>                 <p>Movie Theater</p>             </div>         <div class="clearfix"></div>         </div>          <div class="main-contact">              <h3 class="head">CONTACT</h3>              <p>WE'RE ALWAYS HERE TO HELP YOU</p>              <div class="contact-form">                  {!!Form::open(['url' => '/password/reset'])!!}                     <div class="col-md-6 contact-left">                         {!!Form::hidden('token',$  token,null)!!}                          {!!Form::text('email',null,['value' => "{{old('email')}}"])!!}                          {!!Form::password('password')!!}                         {!!Form::password('password_confirmation')!!}                     </div>                      {!!Form::submit('Restablecer contraseña')!!}                  {!!Form::close()!!}             </div>         </div>     </div> @endsection 

Am I abusing my authorization token handler?


I have an authorization handler of the form:

Auth(AllowedGroups, Token) -> [Allow/Deny] 

Where the Token consist of the following tuple and its MAC tag.

TbsToken := (userid, usergroup, expiration) Token    := (TbsToken, MAC) 

The MAC key resides on the servers’ sides, and along with the authorization handler, is used for automatic authentication with server B once user is logged onto server A.

A while ago

Now server B gets the new function of serving objects to invitees that appear anonymous to the server. To determine which object to serve, 120-bit (padding-free in base32) random ID of the object is passed to the access point.

Along with the ID, is the said token with “userid” removed (because anonymous) and “usergroup” replaced with the object ID. And the authorization handler is reused and called as:

Auth(ID, ((anon, ID, future), MAC)) 

It raises an alarm in me because the “AllowedGroups” is now controlled by the client, but I cannot see obvious ways this leads to vulnerability.

Is the authorization handler call 1) useful but may need tweaking? 2) useless as ID is already random, or 3) a security concern that must be removed?

Does omniauth-linkedin-oauth2 ruby gem return the refresh token?

I’m using omniauth-linkedin-oauth2 gem but it doesn’t seem to return the refresh token, which I believe I need it to get a new token when the token is expired.

I debugged my app to see what the omniauth response provides me and I do not see a refresh token returned just the token and the expiry date.

Rails.application.config.middleware.use OmniAuth::Builder do   provider :linkedin, ENV['LINKEDIN_CONSUMER_KEY'], ENV['LINKEDIN_CONSUMER_SECRET'], {     :scope => ENV['LINKEDIN_SCOPES'],     :fields => ['id', 'first-name', 'last-name', 'picture-url']   } end 

I’d like to find out if the gem’s supposed to return the refresh token? Or does the gem issue me a new token? Or does it extend the expiry date for an existing token?

When is the $SPUrl Token Prefix Needed?

I have been doing some research and testing and found that the $ SPUrl tokens (e.g. ~site and ~sitecollection) can be used in various scenarios to reference the root of the current site or web. However, I cannot seem to find information on when the $ SPUrl prefix is required to reference these tokens.

For example, I know that when using a token like this in a CssRegistration control, we must use a syntax like so:

<SharePoint:CssRegistration ID="CssRegistration1" Name="<% $  SPUrl:~sitecollection/Style Library/custom.css %>" runat="server" /> 

However, I have also seen examples of using these tokens with a ScriptLink control that utilize the token with no $ SPUrl prefix (and no <% %> tags) as follows:

<SharePoint:ScriptLink Language="javascript" Name="~sitecollection/SiteScripts/custom.js" runat="server" Localizable="false" /> 

Can someone explain why the <% %> tags and $ SPUrl prefix are required in some situations but not others when using these tokens?

How to decrypt sensitive information with a token and a password

In a web app, it’s common practice to encrypt sensitive information against a user’s password. In this scenario, what’s how would you access/encrypt/decrypt that information using token based authentication?

If a user logs into the web app using their username/pw, which gives them access to their sensitive information, how do you create a token (say, for API access), to access/encrypt/decrypt that same information?