We need to allow our Flutter application to save a property in the user_metadata when the application starts.
As I understand this is a task to be done with the Management API and in order for the Flutter application to be able to write in the user_metadata the client has to request a Management API access token.
I found no information on how to request this token, the closest thing is this page in the documentation that has no example and no explanation on how to retrieve this token:
https://auth0.com/docs/secure/tokens/access-tokens/get-management-api-tokens-for-single-page-applications
Can anyone provide an example on how to request this token from a Flutter app?
Even a generic CURL request would be helpful to understand what endpoint to call with which parameters.
Error received when trying to access the Management API to update the user_metadata:
body{
"statusCode":400,
"error":"Bad Request",
"message":"Bad HTTP authentication header format",
"errorCode":"Bearer"
}
2 steps are needed:
Get the authentication token for management API:
sample curl:
curl --location --request POST "https://YOUR_AUTH0_DOMAIN/oauth/token" \
--header "content-type: application/json" \
--data-raw "{
\"grant_type\": \"client_credentials\",
\"audience\": \"https://YOUR_AUTH0_DOMAIN/api/v2/\",
\"client_id\": \"YOUR_AUTH0_APPLICATION_CLIENT_ID\",
\"client_secret\": \"YOUR_AUTH0_APPLICATION_CLIENT_SECRET\"
}"
call the management api to update app_metadata
sample curl:
curl --request PATCH \
--url 'https://YOUR_AUTH0_DOMAIN/api/v2/users/USER_ID' \
--header 'authorization: Bearer TOKEN_FROM_STEP_1' \
--header 'content-type: application/json' \
--data '{"email": "whatever#example.com", "user_metadata": {"hobby": "surfing"}, "app_metadata": {"plan": "full"}}'
Edit: Patch request with userID
REST: POST fails with CSRF enabled, though it works in POSTMAN.
I have added several headers like -H Set Cookie: JSESSIONID=xxxx along with -H X-CSRF-TOKEN: bbbb, -b cookies.txt after generating it. I would like to know what exactly has to be added to make the request work ?
I am trying to login to dcos-cli (OAuth enables).
When i type dcos auth login -> this gives me a URL
If i open the URL in browser and enter credentials a code (token) is being generated, using which i am able to log-in into the cli.
This has to be automated so i am sending a curl request
curl -s --data \
"grant_type=password&client_id=dcos&username=dcosuser&password=<>" \
-H "Content-Type: application/x-www-form-urlencoded" \
https://ip:port/auth/realms/DCOS/protocol/openid-connect/token \
| jq -r '.access_token'
But using this access token i am not able to login.
Can anyone please help.
Solved this by a java program which gets the access code from the keycloak-server .and then runs the dcos auth login.
The java code does a GET to https://<ip>/login?redirect_uri=urn:ietf:wg:oauth:2.0:oob
And then from the page extract the "action" attribute from the returned page and then from a POST request to the URL obtained from the "action" with other parameters like password.
Ex: https://<ip>:<port>/auth/realms/DCOS/login-actions/authenticate?code=erpkJ0BaLcp9VV2eTkY_a9xdpeNNzc375Ic7vHxhcMg.1b1461c6-51cd-484e-8c0e-a615600b7156&execution=8ad82be0-2471-40b1-b7e0-3192e0c8a381
Post parameters : username=dcosuser&password=<pass>&login=Log+in
Trying to test Uber Rush API (from localhost and from linux server).
Calling Token works - I get the token
trying to implement sanbox example:
curl -X "PUT /v1/sandbox/deliveries/{delivery_id}" \
-H "Authorization: Bearer <OAUTH TOKEN>" \
-d "{\"status\":\"en_route_to_pickup\"}"
with url https://sandbox-api.uber.com/
and I tried the same request with file_get_contents (in PHP)
So, I always get error "405 Method Not Allowed"
{"message":"Method not supported for this endpoint.","code":"method_not_allowed"}
What I need to do to get access to method from this sandbox example https://developer.uber.com/docs/rush/sandbox?
Corrent syntax
curl -X "PUT" -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d "{\"status\":\"en_route_to_pickup\"}" https://sandbox-api.uber.com/v1/sandbox/deliveries/DELIVERY_ID
EDIT: Updated to reflect both issues in your question...
You have a mismatch in your requests and an incorrect syntax for curl.
First off your CURL request is incorrectly specified. It should be:
curl -X "PUT" -H "Authorization: Bearer <OAUTH TOKEN>" -d "{\"status\":\"en_route_to_pickup\"}" https://sandbox-api.uber.com/v1/sandbox/deliveries/{delivery_id}
In addition, your curl command is trying to issue a PUT request to the uber sandbox PUT API. However, your PHP code is not setting the context correctly and so is probably issuing a GET request. I suspect that the server is therefore rejecting the request as a GET as not allowed to do this sort of operation.
To fix it, see Bad request using file_get_contents for PUT request in PHP. This should give you an example of how to pass in the necessary context to issue a PUT request using file_get_contents().
I am currently developing a REST-API which is HTTP-Basic protected for the development environment. As the real authentication is done via a token, I'm still trying to figure out, how to send two authorization headers.
I have tried this one:
curl -i http://dev.myapp.com/api/users \
-H "Authorization: Basic Ym9zY236Ym9zY28=" \
-H "Authorization: Bearer mytoken123"
I could for example disable the HTTP-Authentication for my IP but as I usually work in different environments with dynamic IPs, this is not a good solution. So am I missing something?
Try this one to push basic authentication at url:
curl -i http://username:password#dev.myapp.com/api/users -H "Authorization: Bearer mytoken123"
^^^^^^^^^^^^^^^^^^
If above one doesn't work, then you have nothing to do with it. So try the following alternates.
You can pass the token under another name. Because you are handling the authorization from your Application. So you can easily use this flexibility for this special purpose.
curl -i http://dev.myapp.com/api/users \
-H "Authorization: Basic Ym9zY236Ym9zY28=" \
-H "Application-Authorization: mytoken123"
Notice I have changed the header into Application-Authorization. So from your application catch the token under that header and process what you need to do.
Another thing you can do is, to pass the token through the POST parameters and grab the parameter's value from the Server side. For example passing token with curl post parameter:
-d "auth-token=mytoken123"
Standard (https://www.rfc-editor.org/rfc/rfc6750) says you can use:
Form-Encoded Body Parameter: Authorization: Bearer mytoken123
URI Query Parameter: access_token=mytoken123
So it's possible to pass many Bearer Token with URI, but doing this is discouraged (see section 5 in the standard).
If you are using a reverse proxy such as nginx in between, you could define a custom token, such as X-API-Token.
In nginx you would rewrite it for the upstream proxy (your rest api) to be just auth:
proxy_set_header Authorization $http_x_api_token;
... while nginx can use the original Authorization header to check HTTP AUth.
With nginx you can send both tokens like this (even though it's against the standard):
Authorization: Basic basic-token,Bearer bearer-token
This works as long as the basic token is first - nginx successfully forwards it to the application server.
And then you need to make sure your application can properly extract the Bearer from the above string.
I had a similar problem - authenticate device and user at device. I used a Cookie header alongside an Authorization: Bearer... header. One header authenticated the device, the other authenticated the user. I used a Cookie header because these are commonly used for authentication.
curl --anyauth
Tells curl to figure out authentication method by itself, and use the
most secure one the remote site claims to support. This is done by
first doing a request and checking the response- headers, thus
possibly inducing an extra network round-trip. This is used
instead of setting a specific authentication method, which you can
do with --basic, --digest, --ntlm, and
--negotiate.
There is another solution for testing APIs on development server.
Set HTTP Basic Authentication only for web routes
Leave all API routes free from authentication
Web server configuration for nginx and Laravel would be like this:
location /api {
try_files $uri $uri/ /index.php?$query_string;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
auth_basic "Enter password";
auth_basic_user_file /path/to/.htpasswd;
}
Authorization: Bearer will do the job of defending the development server against web crawlers and other unwanted visitors.
You can use Body with x-www-form-url-encoded to send with multiple headers.
curl --location --request POST 'http://dev.myapp.com/api/users' \
--header 'Authorization: Basic Ym9zY236Ym9zY28=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'access_token=mytoken123'