I'm trying to get an Offline Access from Keycloak, with the following request:
curl -X POST https://<domain>/auth/realms/public/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=refresh_token'
-d "refresh_token=<token>"
-d 'scope=offline_access'
-d 'client_id=<id>'
-d 'client_secret=<secret>'
The scope in the response isn't offline_access as I expected, but openid, and also the number of Offline Tokens is not updated in the admin console.
{
"access_token": <access token>,
"expires_in": 3600,
"refresh_expires_in": 84884,
"refresh_token": <refresh token>,
"token_type": "bearer",
"id_token": <id token>,
"not-before-policy": 0,
"session_state": <state>,
"scope": "openid"
}
How can I get Offline Access tokens using grant_type 'refresh_token'?
Note that I'm able to get them using grant_type password, but would prefer not to use that, because:
I'm already using a refresh token in my app, but I don't have access to the password
I'm not sure how that would even work with Social Login and 2FA
Usually offline_access needs to be specified in the original authorization request - at the time of the delegation - which in some setups also involves user consent to use tokens offline.
Try getting the refresh token like this, when completing authorization:
curl -X POST https://<domain>/auth/realms/public/protocol/openid-connect/token
-H "Content-Type: application/x-www-form-urlencoded"
-d 'grant_type=authorization_code'
-d 'code=<code>'
-d "redirect_uri=<uri>'
-d 'scope=openid offline_access'
-d 'client_id=<id>'
-d 'client_secret=<secret>'
Then omit the scope parameter in the refresh token grant request that you posted. The scope parameter is not usually specified in this message. If it is then it can only be used to reduce scopes in the delegation. That is, you cannot silently get new scopes that a user did not consent to.
Related
I am trying to make a call https://api.github.com/repos/OWNER/REPO/actions/runners/registration-token with an users personal access token that has repo permissions.
To do so I am testing with:
curl -I -X POST -H "Authorization: token <OAUTH_TOKEN> Accept: application/vnd.github.v3+json" https://api.github.com/repos/<owner>/<repo-name>/actions/runners/registration-token which gives me Bad Credentials error
curl -I -H "Authorization: token <OAUTH_TOKEN>" https://api.github.com/users/<USER_NAME> ->
x-oauth-scopes: repo
x-accepted-oauth-scopes:
According to this: https://docs.github.com/en/rest/actions/self-hosted-runners I need to provide an oauth token with repo access.
If I curl the user curl -H "Authorization: token <OAUTH_REPO_TOKEN>" https://api.github.com/users/<USER>/repos -> []. But if I go to the repo and check settings -> Collaborators And Teams, the user is listed as part of the team with admin privledges, and I have also added an entry for the user directly.
Is there something I am missing? What permissions do I need to add to fix this?
I needed to call the API with a user name as well. For example:
curl -I -X POST -u <USER>:<OAUTH_REPO_TOKEN> -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/<owner>/<repo-name>/actions/runners/registration-token. Passing a -v option reveals that it was not setting a username, and causing github to reject the call.
The user sends me its id and password.
Then I want to check if it is valid on the keycloak.
I can try to log in, but the session is created in keycloak.
I even thought about to log out after logging in.
But this is very inefficient.
Is there a way to check if id and passwd are valid without creating a session?
If there was such a way, my task will be very easy.
If there is no way, I have to log in instead of my user and manage the token instead.
This is relatively more complex to implement.
As far as I know out-of-the-box there is no way to avoid creating the session.
If there is no way, I have to log in instead of my user and manage the
token instead. This is relatively more complex to implement.
Not really, since, the password and username are handed to your application, you can use the following approach:
Create in Keycloak a client (in the appropriate Realm) with direct grand access flow enabled (know as Resource Owner Password Flow in OAuth2);
Set the Access token for that client to be very short living (e.g., one minute).
Make a POST request with the username and password to the client, something as follows:
curl --request POST \
--url "http://$KEYCLOAK_HOST/auth/realms/$REALM_NAME/protocol/openid-connect/token" \
--data client_id=$CLIENT_ID \
--data username=$USERNAME \
--data password=$PASSWORD \
--data grant_type=password
If you get back as a response a token, then it means that the user credentials are valid, if not then those credentials are invalid.
In case you get back the token, you can explicitly logout the session, for instance as follows:
ACCESS_TOKEN=$(echo $TOKEN | jq -r .access_token)
SESSION_STATE=$(echo $TOKEN | jq -r .session_state)
curl -k -X DELETE "http://$KEYCLOAK_HOST/auth/admin/realms/master/sessions/$SESSION_STATE" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ACCESS_TOKEN"
Or since the access token is very short living, let Keycloak eventually clean up the session.
I am trying to authenticate a user by GitHub API.
I've tried on two methods, Authentication via username and password and via personal access token(PAT) like this;
curl -u devmania1223 https://api.github.com/user /*via username and password*/
curl -u ghp_I60uniHdf6UKDCkyde1InP7kwRwsw2fD0wx https://api.github.com/user /*via personal access token*/
Inputted username and password, PAT correctly, but the response is not right.
{
"message": "Requires authentication",
"documentation_url": "https://docs.github.com/rest/reference/users#get-the-authenticated-user"
}
So, What's wrong with curl command?
Try and use the token as password:
curl -i -u your_username:$token https://api.github.com/users/octocat
Don't forget the other option: gh (the GitHub cli/cli), using gh auth login
# authenticate against github.com by reading the token from a file
$ gh auth login --with-token < mytoken.txt
Let's say that your personal access token is 55a6f290558d11ecbeaf787b8ab956b4. Now, make a request using the GitHub API, put the token into the "Authorization" header:
/usr/bin/curl -H "Authorization: Bearer 55a6f290558d11ecbeaf787b8ab956b4" https://api.github.com/user
Why? Well, the type of token that GitHub gives to you is called "OAuth 2.0" token, and you just have to use it this way.
I have a bitbucket cloud account. Under: https://id.atlassian.com/manage/api-tokens I have generated an API Token which I am trying to use in a REST call to upload
a public SSH key to my account. Based on:
https://docs.atlassian.com/bitbucket-server/rest/5.6.2/bitbucket-ssh-rest.html?utm_source=%2Fstatic%2Frest%2Fbitbucket-server%2F5.6.2%2Fbitbucket-ssh-rest.html&utm_medium=301#idm45427244388592
https://community.atlassian.com/t5/Answers-Developer-Questions/Bitbucket-REST-API-POST-using-token-instead-of-basic-auth/qaq-p/474823
I have tried:
curl -X POST -d '{"text":"ssh-rsa AAAAB3... me#127.0.0.1"}' -H "Authorization: Bearer ADasdaEeasAsd..." https://bitbucket.org/[my-account]]/rest/ssh/latest/keys
But when I run that I get:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
I have tried to re-create the token and re-run the above command again - with the new token - but I get the same error.
Any suggestions?
Based on below answer and link I have now tried:
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer wxdrtblabla..." \
-d '{"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqP3Cr632C2dNhhgKVcon4ldUSAeKiku2yP9O9/bDtY myuser#bitbucket.org/myuser"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
But I get the exact same error:
{"type": "error", "error": {"message": "Access token expired. Use your refresh token to obtain a new access token."}}
So still no luck. Also if I access:
https://api.bitbucket.org/2.0/users/[myuser]/ssh-keys
directly in a browser I get:
type "error"
error
message "This API is only accessible with the following authentication types: session, password, apppassword"
EDIT/ANSWERED: Based on the updated answer below I have no tried to create an app password and grant it account: read/write in bitbucket and it works. I run it with:
curl -v -u myuser:my-generated-app-password -X POST \
-H "Content-Type: application/json" \
-d '{"key": "ssh-rsa AAA....ro"}' \
https://api.bitbucket.org/2.0/users/myuser/ssh-keys
You're looking at Bitbucket Server documentation but using Bitbucket Cloud. (The giveaways: the "bitbucket-server" part of the doc path, and the "bitbucket.org" in the path where you're pushing your key.)
Check out https://developer.atlassian.com/bitbucket/api/2/reference/resource/users/%7Busername%7D/ssh-keys#post instead - that's the Bitbucket Cloud documentation to do what you're trying to do. Your URL will be more like https://api.bitbucket.org/2.0/users/[your-account]/ssh-keys.
EDIT: The error you received indicates the problem: you either need to make that call from within an existing session (i.e. from the GUI), use your password, or use an app password. I'd recommend the app password, since it's scoped, meant to be disposable, and won't let you log onto the GUI. Your curl call then becomes something like curl -u myuser:myapppassword -X POST -H "Content-Type: application/json" -d '{"key": "key content goes here"}' https://api.bitbucket.org/2.0/users/myuser/ssh-keys.
How can we access the Box API using the refresh token that is generated? I have followed all the steps to generate the access token and refresh token but I cannot find it anywhere how can I access the API using refresh token.
This is what I have right now:
curl -X GET -H "Authorization: Bearer <Access-Token>" "https://api.box.com/2.0/folders/0"
I am not able to do this :
curl -X GET -H "Authorization: <Refresh-Token>" "https://api.box.com/2.0/folders/0"
or
curl -X GET -H "Authorization: Bearer <Refresh-Token>" "https://api.box.com/2.0/folders/0"
Any idea how we can use the Refresh token in an API call?
The access_token is used to make Box Content API calls.
The refresh_token is used to obtain a new access_token & refresh_token pair since access_tokens expire in around 60 minutes.
curl https://api.box.com/oauth2/token
-d 'grant_type=refresh_token' \
-d 'refresh_token=<MY_REFRESH_TOKEN>' \
-d 'client_id=<MY_CLIENT_ID>' \
-d 'client_secret=<MY_CLIENT_SECRET>' \
-X POST