I Want to test MFP adapter 8.0 using Postman
Steps followed -
Registered the confidential client in MobileFirst Operations Console.
Using Postman, Obtained access token from MobileFirst Server token endpoint.
I am able to get access token using url - /mfp/api/az/v1/token
And used the access token received from MobileFirst Server token endpoint to make requests to the desired resources.
Now can I know how to store Login tokens in clientData and fetch tokens whenever required using -
clientData.getProtectedAttributes().get("");
Currently getting null pointer exception while getting clientId from clientData
String clientId = (String) clientData.getProtectedAttributes().get("clientId");
Update : Attached snapshot of Request parameter passed for Token step
https://i.stack.imgur.com/XVhLV.png
The observed behaviour is expected and by design.
A confidential client does not have a clientId and no associated clientData.Client Data is populated only when using mobile SDK to do registration and subsequent operations.
Related
I am trying to collect data from REST API using Grafana plug-ins (Infinity, Simple JSON, JSON), The problem is in order to access the API you should maintain a valid OAuth Token which expires every hour and should be refreshed, and it should be pre-fixed by certain word,
EX: 'Authorization' : 'Bearer AUTHTOKEN'
Any idea how to solve this ?
Thanks.
Your Grafana Infinity plugin wants to access the protected Citrix data source.
Citrix is protected with the OAuth 2.0 client credentials grant: that means, Citrix clients must collect a short-lived access token by authenticating themselves with their id and secret and requests to Citrix APIs must include the access token as a bearer token (as the HTTP Authorization header prefixed with Bearer ).
Creating an API client in Citrix gives you your client id, client secret, and additionally, customer id.
Grafana Infinity plugin supports client credentials grant out of the box, meaning once you have Infinity configured with the required parameters (those you got while creating your client in Citrix), it will collect the token and include it as a bearer token for you.
The Infinity plugin documentation doesn't explicitly mention how it handles access token expiration: possibly it requests for a new access token if it detects that the access token has expired (the expiration time is returned as the expires_in value with the access token).
You just need to follow these steps, if you have already logged in through any OAuth mechanism:
Go to Configuration > Data sources.
Add data sources, and select Infinity.
In authentication select Forward OAuth and add some Allowed host. For instance http://:8080/ to allow
any data coming form the quarkus app.
Save and exit, the url will be set in the dashboard.
I'm currently using Firebase cloud functions as my mobile app's backend and I'm using Auth0 as my authentication provider.
My problem is that I've used Postman to send test login requests to my API and I'm able to get a valid JWT. I then deleted the user account through Auth0's user management panel and used Postman to test the login function again to see the type of response I would receive. Instead of receiving any errors, I receive a new valid JWT which allows me to access protected routes even though the user does not exist.
I've tried setting the response cache control to "no-store" and yet I'm able to receive a valid JWT. What could the reason be?
I'm building a REST API using Elixir's Phoenix framework. In the API, I need to authenticate the user by phone number i.e., via sending an SMS OTP code. After authenticating the user, the Auth server sends the Access token and Refresh token to the client. The client(mobile app) stores those tokens locally and sends the Access token in the HTTP header as Authorization: Bearer <Access_Token> in every request to resource server. My actual question is, how do resource server validates the Access token that is received from the mobile app/client?
Does resource server needs to contact Auth server to validate the Access Token? That would a lot of overhead. Please help me understand RestFull API Authentication.
Thanks for taking the time to read my question.
It sounds like you have everything working up to validating the token. You are going to need the public key for the server that signed the token. It depends on what auth server you're working with on how you get that. In some cases you may be able to preload this key as a configuration setting on your backend. Otherwise you can probably get it via https request to the auth server. Most auth servers these days I expect to provide a JWKS api that you can use to get the keys you need. Then with the token and the public key you can use your elixir jwt library to validate that the token you have was signed by the server you trust, meaning the SMS code was validated, and you can proceed with whatever is needed in the backend to handle the request.
If you're using Joken for elixir you can review https://hexdocs.pm/joken_jwks/introduction.html and https://hexdocs.pm/joken/introduction.html for more information.
how do resource server validates the Access token that is received from the mobile app/client?
The same way a nightclub bouncer verifies your driving license as proof-of-age to let you in: by validating the authority and signatures, but it does not need to phone-up your DMV to verify that your license is real because it trusts the signatures (in this case, cryptographic signatures).
That said, some systems do use "reference tokens" which are short (say 32 bytes) of meaningless random data which are used as an unpredictable record identifier for some user-permissions record held by the authorization server. The resource-server will need to contact the auth server initially, but then it can simply cache the auth result itself for some time window.
I'm developing an Android app that consumes a REST service that uses OAuth protocol. In the first activity, app shows a login screen. This is the flow:
1) User puts her username and password.
2) App makes a request to REST service, providing username and password.
3) REST service check the credentials and if are correct, ask for an access_token to my OAuth2 provider server.
4) REST service answers to the app providing the access_token and the refresh_token
5) In the next requests to the REST server (to get data like people, articles...) app will provide the access_token and the refresh_token.
6) When REST service process a request, will validate the access_token (using an token info endpoint of my OAuth server).
7) If the access_token is correct and has not expired, REST service will return the data that the app were asking for.
When REST service detects that access_token has expired, asks for another with using the refresh_roken.
Now, my questions:
When REST service retrieve a new access_token after the old one expires, has the REST service send it to the app in that response?
If so, has the app check, in each request/response, if new a new access_token has been sent from the REST service?
I don't know if I'm in the right way, I'm trying to understand the flow.
Thanks.
Assuming there's no browser involved and the app (aka. Client) uses what is called the Resource Owner Password Credentials grant, the flow is:
the User (aka. Resource Owner) provides his/her username and password to the Client
the Client makes a Token Request to the Authorization Server, providing username and password
the Authorization Server checks the credentials and if they are correct, it provides an access token and optionally a refresh token to the Client in the response
in the requests to the REST server (to get data like people, articles...) the Client will provide the access token
when the REST service process a request, it will validate the access token calling the token validation endpoint of the Authorization Server or by validating the token locally (e.g. if the access token is a JWT).
if the access token is correct, has not expired and has the right permissions (aka. "scopes"), the REST service will return the data that the Client was asking for
when the Client detects that access_token has expired (e.g. because the REST server returns an error), it asks the Authorization Server for another access token using the refresh token using the so-called Refresh Token grant/flow
OAuth 2.0 flows:
An application registers with the auth provider e.g. Facebook, Google, etc with app name, website and callback/postback URL
The application receives the client id and secret from the auth provider
The application user accesses the auth provider for authentication and user approves the resource permissions
The auth provider returns the auth token with respect to the user permissions to the application
The application accesses the resource provider using the auth tokens
The resource provider returns the protected resources after validating the auth tokens to the application
Do comment if you need more understanding!
I'm trying to get Azure mobile services working with custom authentication. I came across this article:
Get started with custom authentication
and another thread with detailed explanation:
Implement Custom Authentication In Windows Azure Mobile Services.
My question is:
once the token is received after login, does it need to be validated manually similar to this thread ?
I've tried passing the token as Authorization header, but the ServiceUser is always null. (I'm using Fiddler for testing the endpoints)
You do not need to validate the token. Azure Mobile Services will do this for you. For example, it will automatically check if the token has expired, if it has been generated for your particular service (if it's been derived from your Master key), etc.
For example, if you have marked a method with [AuthorizeLevel(AuthorizationLevel.User)] and the token is not valid, AMS will automatically return error response (probably 401 Unauthorized HTTP response). So you do not have to worry about validating the tokens.
In order to use the provided token you have to add the X-ZUMO-AUTH header with the token as value to the request that you send to your service.