When I'm trying to create token to use the API I do not have the required scopes and neither the options to request it
{"code":"unauthorized","message":"This endpoint requires at least one of the following scopes: ride_request.estimate, profile"}
Error when try to generate token
Dashboard without the option for scopes selection
Related
I'm trying to build JWT Grant flow in authentication using Docusign APIs.
I usually get "invalid_grant" or "invalid_request" errors.
The redirect uri is returned with a code parameter and a jwt token.
What I understood, is I need to create a JWT at my server to further utilise that for authentication, and the structure of this JWT does not utilise that code parameter either.
I need to use the User:lists API to get the GUUID of the user who just gave my server consent using the email address.
And then use that GUUID for creating our JWT, which will now work?
But in all this we are not using the JWT returned in the code parameter.
Why it is there it is confusing?
When using the JWT grant auth method, you will be ignoring the code that is returned in your callback URL after user grants the permissions.
I understand that may be confusing but think of that step as "User granting permission to required scopes". If you were using the auth code grant flow, you'd be using the code returned to your callback URL to complete the auth and get the access token.
However, in the case of JWT grant you will ignore that code and you will create a signed payload to get a token as described here: https://developers.docusign.com/platform/auth/jwt/
I'm using a custom policy in Azure ADB2C to authenticate and authorize users to my API backend. This works fine.
Now I want to add an additional "aud" entry to the Azure ADB2C jwt token such that I can use the same token for a different service which expects this aud entry to be present.
Right now Azure ADB2C fills in the "aud" field with the ApplicationID for which it was created.
Is there a way to add a static entry to the "aud" field in Azure ADB2C?
Based on your description, I think you are expecting to use the same token to access multiple services (please correct me if my understanding is wrong). Unfortunately, you cannot do this.
A token can only correspond to one scope. The access token is issued according to the api audience you want to access, and it is unique! A token can only have one audience, and you cannot use multiple scopes to request access tokens. If you need to access other services, you should obtain a token for each service separately.
Update:
You can put multiple apis of the same type in the scope because they are still of the same type in essence. But it is not acceptable to request the same access token for two different types of APIs.
test1:
test2:
NFL has an api service. link: https://api.nfl.com/docs/getting-started/index.html
For making api calls we need an Oauth2 access token.
To generate it we need to hit /oauth/token endpoint with parameters client_id and client_secret in body.Now I cannot find any documentation on how to generate the client_id and client_secret.
Another way I found was to create a new user which just requires you to pass necessary parameters like username,password,etc and in turn gives a new access token.But doing this way also gives a unauthorized 401.
So I am doing it wrong.If someone has used this api in past , please do share how you did it.I also found another question here on the same topic link : How would I create an access token for the NFL Shield API? but it does not have any answer.I am sharing the links to two docs related to authentication.
https://api.nfl.com/docs/identity/oauth2/index.html
https://api.nfl.com/docs/identity/register/index.html
At first, i expected access token to be necessary while communicating with WL resource.
Expected flow:
1. WLAuthorizationManager.login(this.securityCheck ,{'username':username, 'password':password, rememberMe: true}).then(
2. WLAuthorizationManager.obtainAccessToken(this.securityCheck).then(
3. let resourceRequest = new WLResourceRequest('someURL', WLResourceRequest.GET)
resourceRequest.addHeader("Authorization", "Bearer " + accessToken);
4.
resourceRequest.send().then(
where 1 = login, 2 = get access token, 3 = add access token to header, 4 = access resource
However, i find that without 2, 3, i can still access the resource.
It comes to my concern what is the meaning of obtainAccessToken and add Authorization header.
Is there any token auto bound to WLResourceRequest after login?
Is there other way to login without using WLAuthorizationManager.login?
If ok, how to let server know the user logged in like using WLAuthorizationManager.login?
If the above is true, after custom login, can obtain access token?
Here's some background about these methods and their working:
WLAuthorizatonManager.login(securityCheck, credentials) logs into a
specified security check. This method does not create an OAuth token.
More details about WLAuthorizatonManager.login(securityCheck, credentials).
WLAuthorizationManager.obtainAccessToken(scope) returns an OAuth token
containing the specified scope.If the scope is mapped to a security check, it will trigger a corresponding challenge, which the client will have to handle to obtain the token. If obtainAccessToken(scope) is invoke after a successful login(securitycheck) call and if the scope is mapped to the same securitycheck, then you will not see a challenge. The OAuth token will be granted.
More details about obtainAccessToken().
WLResourceRequest object is used to send a request to any protected or
unprotected resource using an absolute or relative URL.
WLResourceRequest object automatically handles the MobileFirst
OAuth-based security model protocol and invokes the required
challenges.
Details about WLResourceRequest.
To answer your questions:
Is there any token auto bound to WLResourceRequest after login?
As mentioned earlier, WLResourceRequest automatically negotiates an OAuth token from MFP server containing the scope that protects the endpoint it is accessing. This may include multiple rounds of OAuth negotiation and also invoke the challenge handlers to handle challenges originating from the server. Once the right token has been obtained, the API automatically adds the token to the request in an 'Authorization' header.
Is there other way to login without using WLAuthorizationManager.login?
Instead of WLAuthorizatonManager.login(securityCheck, credentials), if a protected resource is accessed via WLResourceRequest or if WLAuthorizationManager.obtainAccessToken(scope) is invoked for a scope that is mapped to a security check, this will trigger a challenge response cycle that will end with a user identity and a token.
If ok, how to let server know the user logged in like using WLAuthorizationManager.login(securityCheck, credentials)?
MFP runtime takes care of this - regardless of if the user identity is set via WLAuthorizatonManager.login() or if WLResourceRequest / WLAuthorizationManager.obtainAccessToken(scope) triggers a challenge response cycle that goes through the securitychecl.
If the above is true, after custom login, can obtain access token?
Not sure what you mean by 'custom login', but you can always obtain an OAuth token using WLAuthorizationManager.obtainAccessToken(scope) or WLResourceRequest. The difference is that obtainAccessToken() will get you a token for the scope you specify, while WLResourceRequest will invoke an endpoint by obtaining an OAuth token covering all the required scopes automatically.
I use the Postman desktop app for web API testing. I have a lot of controllers and for each need a token. First I get Bearer token and then copy it to other requests. This token have limit time. Can I get token automatically and then automatically set it to all others requests ?
ok, I just used Environments in postman.
1 - create new Environment with token.
2 - add test after auth request like this :
var jsonData = JSON.parse(responseBody);
var token = jsonData._token;
postman.setEnvironmentVariable("token", token);
3 - just set {{token}}
And of course you can set token before request if you use Pre-request Script in one of requests.
Write below code in tests tab in postman for your login request.
if(pm.response.code === 200) {
pm.environment.set('authToken', pm.response.json().token)
}
Then edit your collection and set your env authToken inside.
You can save and re-use the token's using the Token Name from Postman. You can select it from the available token list.
One of the many cases are.
Request for a refresh token using the credentials
Use the refresh token to get an access token
Use the access token to authenticate the API.
The step 1 sometimes requires us to login to an interface of the API provider and get an authentication code to our callback url. Some API provider's allow us to override this by providing the client_secret key and the client_id as an authorization header and the refresh token as the request parameters and by setting prompt as none.
From the documentation.
prompt (optional)
none no UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned.
https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html
All you need to know about the identity servers are here.
https://identityserver.github.io/Documentation/