I wonder why the user credential is included in the request body when I authenticate the user's JWT with using passport?
enter image description here
enter image description here
I suppose it's not safe to include the credential in the request ? How can i exclude it?
Related
After configuring a client named 'steeringclientui' in keycloak as in the picture below
when I am trying to access http://localhost:8080/realms/steeringappdev/protocol/openid-connect/auth?client_id=steeringclientui&response_type=code&scope=openid&redirect_url=http://localhost:8080/sample&state=asdasdas
I've got
I can access without any problem http://localhost:8080/realms/steeringappdev/.well-known/openid-configuration and the response is :
If more info is needed, please let me know.
See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
You need parameter redirect_uri (not redirect_url) + value should be URL encoded. So correct Authentication Request URL should be:
http://localhost:8080/realms/steeringappdev/protocol/openid-connect/auth?client_id=steeringclientui&response_type=code&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsample&state=asdasdas
I have a login page, I get the user email and user password from the inputs.
I created a "fetch" in my JavaScript file, and sent the user email and user password to my backend.
Since there is indeed this email and password registered in my database, the backend returns my token inside a json.
This is my token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJsb2NhbGhvc3QiLCJuYW1lIjoiVmluaWNpdXMiLCJlbWFpbCI6InZpbmljaXVzQGhvdG1haWwuY29tIn0=.YvasYRuuoreFzD5vzYJA5D33eDAyqcCDRWLu3ObRxkw=
I have my way to save it, I saved in the localStorage.
Now the user wants to use all the pages of the website, so I need to validate.
To do so, in the pages that need login, I created a new Fetch and passed the token in the header, like that:
header: {
'Content-Type':'application/json',
'Accept': 'application/json',
'Authorization': 'Bearer '+localStorage.getItem("token")
}
Everything alright so far. However, I don't know what to do when the data gets to my backend. Can you please confirm if my guess is right?
-> My token hits the backend, so I do the "reverse", that is, I decode the token to get the user email and password
-> I check if the email and password matches those of my database
-> I also create a new "jwt signature" with the email and password to see if it matches with the token's signature. I have to do this way because signatures have hash and hash can't be undone.
-> After working, I return a json saying to my front-end that she/he is allowed and If I want to, I return some data of the user to use in my page too.
Is that right? If not, can you please explain to me in a simple way? I have some issues to learn, that's why I couldn't understand much when I read some texts about it.
Please read more about it here https://jwt.io/introduction.
Basically, the token is base64-encoded so you can easily decode to read the content. Therefore it shouldn't include the credentials but only the id to identify the user (and extra data if needed). Then you can validate it using your secret key, it's depending on the algorithm you chose when issuing the token as well - here is HS256.
The last part of the token after dot (.) is the signature you need to validate. If it is correct then you know the token is valid and the current user from what you see inside the token.
For example if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Use the library that you use to issue the token to validate this, best to read its documentation.
For example, this is the content I decoded from your token:
{
"iss": "localhost",
"name": "Vinicius",
"email": "vinicius#hotmail.com"
}
So if you validated the signature you can believe that the user who is using this token is vinicius#hotmail.com
I have a big problem. I'm sending a request on postman. Then, the url is redirected. I can see the redirected url in Postman console. But I can't access it from the test tab. I need to access the redirected url because the token is generated here. I can do the same operation using the regular expression extractor in JMeter. But I can't do it in Postman. How can I do this in postman? Can you help me?
enter image description here
You can turn off redirects on a specific request (toggle Automatically follow redirects):
Then you can access the Location header contents through:
pm.response.headers.get('Location')
Following that, you can hit the redirect URL via sendRequest or saving the URL in a Postman variable and using setNextRequest.
I'm setting up oAuth generation in new testing software, Tosca. Tosca can only handle API calls with raw body types. I need to convert below x-www-form-urlencoded payload to plain/text. The request is denied with "developerMessage": "The authentication service denied the request".
I have tried changing all of the ":"'s to "=" and all linebreaks to "&." Which has worked for converting other x-www-form-urlencoded payloads to plain/text. I have removed our client_id and client_secret and added them to basic auth. I have removed any and all special characters and spaces from the body and still getting error.
scope:openid
realm:employer
auth_method:cleartrust
auth_id_user_token:A+B/C/D==
nonce:cd
identity_method:air
response_type:id_token token
grant_type:password
which I changed to
scope=openid&realm=employer&auth_method=cleartrust&auth_id_user_token=A+B/C/D==&nonce=cd&identity_method=air&response_type=id_token token&grant_type=password
The plain/text api call should get a successful response and bring back oAuth token.
Full disclosure: I work for Tricentis in the Support Department.
Tosca's API Engine can also handle url-encoded payloads. See this manual page for an example screenshot: https://support.tricentis.com/community/manuals_detail.do?lang=en&version=12.3.0&url=engines_3.0/api/api_create_url-encoded.htm
Additionally, please follow these steps:
In the Technical View tab, open the Headers pane on the right-hand side. There enter a Content-Type header param with value application/x-www-form-urlencoded.
In the Auth tab, select Basic Auth as the method and use the client_id as the username and the client_secret as the password. Tick the checkbox Pre-authenticate.
In the Payload tab, you can enter the url-encoded payload required by your web service. Since you use grant_type = password, the payload has to include at least the string grant_type=password&username=someUsername&password=somePassword
I´m trying to connect via Linkedin Auth2 from a java web application:
Added my own app in linkedin.
Generate the authorization URL: https://www.linkedin.com/uas/oauth2/authorization?response_type=code&client_id=XXX&scope=r_basicprofile%20r_fullprofile%20r_emailaddress&state=DCEEFWF454Us5dffef424&redirect_uri=http://localhost:9090/springmvc/token.htm
Introduce my login/password for linkedin in the new popup.
Get back successful the request on the redirect_uri previus, and take the authorization code "code"
Generate the accessToken URL
Make a POST with: https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http://localhost:9090/SpringMVC/token.htm&client_id=XXX&client_secret=ZZZ
Get next error in response: {"error_description":"missing required parameters, includes an invalid parameter value, parameter more than once. : Unable to retrieve access token : appId or redirect uri does not match authorization code or authorization code expired","error":"invalid_request"}
I´ve verified url parameters are correct:
- "code" is the token receive on step 4.
"redirect_uri" is the same URL on step 2 and 4. I added this URL on section "OAuth 2.0 redirect URL" on my APP.
"client_id" and "client_secret" are the "Client API" and "Secret API" on my APP.
Time between first and second request is less than 20 seconds.
The value of your redirect_uri parameter must be URL-encoded, so at 6. do:
https://www.linkedin.com/uas/oauth2/accessToken?grant_type=authorization_code&code=YYY&redirect_uri=http%3A%2F%2Flocalhost%3A9090%2FSpringMVC%2Ftoken.htm&client_id=XXX&client_secret=ZZZ
and it need not be sent as a POST but as a GET.
If You Are Sending a Request For Access Token it must be POST Request
Refer the OAuth Documentation
I actually Copied the Whole URL From My Eclipse Console To URL It is Still Valid
In Your Case The Problem is with URL Encoding As HanZ said .
You Have to Encode Your URL For Post Request.
I too got bugged with this issue for long time. Please keep few things in mind which I did and eventually sorted it out.
Hit the api to get authorization code by using get request.
The authorization code has a life span of about 20 seconds, so its difficult to manually copy the code from the url and make a request for token access. You should do it pro-grammatically.
Make a post request for getting access token.
Most Important: Old linkedin applications that I had created was not working and giving the above error. Create a new linkedin application and try. Doing this worked for me.
I assume that all the other parameters like client_id, secret, redirect_uri are correct.
please try and let us know.
Thanks.