Trying to test the QuickPay API using the basic auth token provided by them. Getting this error and it's not provided in the collection they provide how to use the basic auth token.
The token is not shown fully and I will re-generate which is why I am not not afraid to show it here.
Related
Im trying to make an .NET 5 Web Api works with Jwt Bearer token. I want some operations to be secured by using a token that comes from another issuer. The token would be generated by MS Azure AD. The application will read the token from the request header, validate it and extract the user's roles for more validations. The app shoudn't be the issuer of the token.
Is this possible? I tried so many ways to make this works without success. I setup Swagger to use OpenId Connect with Microsoft Azure and then the bearer is used to call the secured operations but always got errors. Now I don't understand how Dotnet Core Authencation and Authorization works.
Thanks in advance!
That will definitely work OK but requires an understanding of the science:
AZURE AD TOKENS
I would first look at the JWT in an online viewer. There is a known issue with the default setup where you get JWT access tokens that cannot be validated. See Step 3 of my blog post for details.
UNDERSTAND PRINCIPLES
Validating a JWT involves the general steps in this blog post. Once you understand this it will hopefully unblock you.
C# JWT ACCESS TOKEN VALIDATION IN APIs
The Microsoft framework often hides the required logic, which doesn't always help, and the option I prefer is to validate JWTs via a library.
Aim to understand how to use the JwtSecurityTokenHandler class to validate a JWT manually, eg in a console app. Maybe borrow some ideas from this C# code of mine.
C# AUTHORIZATION
Once JWT validation works, the next step is to use the details in the ClaimsPrincipal to determine whether to allow access to data. I would get on top of the JWT validation first though.
I'm trying to build JWT Grant flow in authentication using Docusign APIs.
I usually get "invalid_grant" or "invalid_request" errors.
The redirect uri is returned with a code parameter and a jwt token.
What I understood, is I need to create a JWT at my server to further utilise that for authentication, and the structure of this JWT does not utilise that code parameter either.
I need to use the User:lists API to get the GUUID of the user who just gave my server consent using the email address.
And then use that GUUID for creating our JWT, which will now work?
But in all this we are not using the JWT returned in the code parameter.
Why it is there it is confusing?
When using the JWT grant auth method, you will be ignoring the code that is returned in your callback URL after user grants the permissions.
I understand that may be confusing but think of that step as "User granting permission to required scopes". If you were using the auth code grant flow, you'd be using the code returned to your callback URL to complete the auth and get the access token.
However, in the case of JWT grant you will ignore that code and you will create a signed payload to get a token as described here: https://developers.docusign.com/platform/auth/jwt/
I am trying to authenticate user in firebase with KakaoTalk credentials. For that, I've got accesstoken from KakaoTalk. And then trying to authenticate user with that token. Here is my code :
String token = await kakaoService.getAccessToken();
await firebaseAuth.signInWithCustomToken(
token: token,
);
Got acceess token like this : nmAzFpOF9XrijP-ZoFpQbVluGZ4lLDbZxOCXIAo9c-sAAAFxrID6xA
But getting this error :
The custom token format is incorrect. Please check the documentation. [ Invalid assertion format. 3 dot separated segments required. ]
Whats wrong here? Am I missing something?
Check out the Firebase documentation regarding the use of custom token: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_a_third-party_jwt_library
Firebase needs to successfully decode the auth token your client submits then use its claims to validate access to your Firebase resources. As such, Firebase requires that custom tokens be formatted according to the rules spelled out in their docs. (They describe a very typical JSON Web Token.)
The access token you're getting from KakaoTalk does not follow Firebase's token rules so Firebase doesn't know what to do with it. I suggest you revisit the KakaoTalk docs to see if it can generate a standard RS256 JWT token with which Firebase can work.
It seems that the token returns by kakaoService.getAccessToken() is not a valid custom token for Firebase Authentication. In fact, given the error message, it doesn't even seem to be a JWT.
Custom tokens for Firebase Authentication must have a specific format, that is documented in creating custom tokens. You'll typically want to follow this process to get a valid token for Firebase Authentication:
Sign the user in to the identity provider (KakaoTalk in your case).
Decode the token from the provider, to get the verified information about the user.
Create a custom token for the user with the Firebase Authentication Admin SDK.
Use that token to sign in to Firebase on the client.
Steps 2 and 3 must happen in a trusted environment, such as your development machine, a server you control, or Cloud Functions.
Question
I got a problem with understanding some basic thing about auth0, probably someone can help me out.
In the tutorial SPA + API one of the first lines in the TDLR is this:
Both the SPA and the API must be configured in the Auth0 Dashboard
I dont understand why I need to configure the API on Auth0. My code seems to work so can anyone help me understand if I do something wrong or what the advantages are if I actually add a custom API in my dashboard?
Setup
SPA (React)
Auth0
REST API (ktor)
What I do
Created a SPA on Auth0
Login on my SPA through Auth0 to get a JWT (google token)
Sending the JWT as authentication bearer in my calls to the REST API
REST API verifies the JWT token with a JWK provider using the Auth0 url mydomain.eu.auth0.com/.well-known/jwks.json.
Authentication seems to work
Great question, I am assuming that your authentication request includes audience parameter which represents your custom API(Rest API)right now. In oauth2 terms, it is called Resource Server. Each resource server can have many permissions which you include in the scope when initiating the authentication request. Let's step back and talk about the token format. Auth0 issues token in two formats:
Opaque strings: When not using a custom API
JSON Web Tokens (JWTs): When using a custom API
https://auth0.com/docs/tokens/reference/access-token/access-token-formats#how-does-all-this-affect-the-token-format-
As explained above link, the token format depends on the audience (Custom API) parameter. Therefore, when the authentication request includes audience, auth0 issues JWT token with all necessary permission. Then, you need to validate the JWT token in your API server before returning the resources to your front end client.
It should make sense why you need to create custom API in auth0 and define permissions. If you do not create custom API in auth0, there is no way to know what kind of permission you need in the token which will generate an error(invalid audience specified)
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil