JWT authentication. Use "Bearer_$tokenValue" or "Bearer $tokenValue"? Is there any standard?
In the Authorization header it should be:
Authorization: Bearer $tokenValue
See rfc6750/section 2.1
Related
I use keycloak and hasura. I have a flutter web app. I retrive the JWT token from keycloak using flutter http. But I get this error:
XMLHttpRequest error.
Access to XMLHttpRequest at 'http://xxx.xx.xxx.xxx:8080/auth/realms
/hasura-app/protocol/openid-connect/token' from origin
'http://localhost:5050' has been blocked by CORS policy: Request header
field access-control-allow-origin is not allowed by Access-Control-Allow-Headers
in preflight response.
But when I use reqbin/curl and this curl command:
curl --request POST \
--url http://xxx.xx.xxx.xxx:8080/auth/realms/hasura-app/protocol/openid-connect/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data username=user \
--data password=password \
--data grant_type=password \
--data client_id=hasura
it works.
This is my flutter code:
String url = 'http://xxx.xx.xxx.xxx:8080/auth/realms/hasura-app/protocol/openid-connect/token';
Map<String, String> headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Access-Control-Allow-Origin': '*',
};
String body = 'username=user&password=password&grant_type=password&client_id=hasura';
final response = await http.post(Uri.parse(url), headers: headers, body: body);
print(response.body);
When I use --web-browser-flag "--disable-web-security" it works fine. But I cannot use this I need this for production. My app will be in the closed local network.
CORS is a security mechanism provided by the common browser implementations.
That is the reason why you retrieve this error when using the browser, but not when using cURL.
To answer your question:
http://xxx.xx.xxx.xxx:**8080**/auth/realms/**hasura-app**/protocol/openid-connect/token
--data client_id=hasura
'http://localhost:5050' has been blocked by CORS policy
Situation
Given this information, I assume the following.
Your keycloak instance runs on port 8080. The realms name is hasura-app. Inside this realm you have a client hasura.
Your app accessing the authentication provider (keycloak) runs on port 5050.
Explanation
This error occurs because your url differs in the port-part (keycloak 8080, your app 5050). To avoid CORS-problems you need the same protocol, address and port. If anything differs, you will get an CORS error. For deeper insight consult rfc or owasp. From keycloaks perspective you need to allow every host, that want to consume it as auth-provider.
Solution
Login as admin, go to the realm hasura-app, go to clients and select your client hasura.
Inside the client you need to add the web-origin of your app by inserting the value, clicking the plus and save. Now the cors-error should disappear, however you likely would get a follow-up error saying invalid redirect_uri. That's why you can insert the same url, but with a "/*" as suffix in the Valid Redirect URIs section.
I fix it. I set Web Origins: * and Valid Redirect URIs: *. Like in the image:
image
But the real problem is in flutter code - headers. I set headers in flutter to this:
Map<String, String> headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Access-Control-Allow-Origin': '*',
};
This 'Access-Control-Allow-Origin': '*' should not be here. I remove him and all work.
Map<String, String> headers = {
'Content-Type': 'application/x-www-form-urlencoded',
};
So final flutter code is this:
String url = 'http://xxx.xx.xxx.xxx:8080/auth/realms/hasura-app/protocol/openid-connect/token';
Map<String, String> headers = {
'Content-Type': 'application/x-www-form-urlencoded',
};
String body = 'username=user&password=password&grant_type=password&client_id=hasura';
final response = await http.post(Uri.parse(url), headers: headers, body: body);
print(response.body);
Introduction:
Hello everyone, I'm trying to use the REST API of Airflow to active a DAG with external trigger, like:
POST: http://{{url}}:{{port}}/api/experimental/dags/MY_DAG_ID/dag_runs
headers = {
'Content-Type': 'application/json',
'Cache-Control': 'no-cache',
}
Problem:
It's work very well (Answer: Status 200), but I need some security because its not can open for public, so I read on API Authentication, that I can be set auth_backend on airflow.cfg that will worked very similar like Password Authentication used for the Web Interface.
[api]
auth_backend = airflow.contrib.auth.backends.password_auth
But now, the Answer is (401 - Unauthorized) and I don't know how to configure the REST API to use my external trigger with this security.
Is it necessary to pass my user and password on header to work?
How I can do this?
Let's assume that exist a user: admin, pass: admin and permission: Admin
Links:
https://airflow.apache.org/docs/stable/api.html#authentication
You have to pass an authorization header with a base 64 encoded header with the string user:pass
You can check how it happens here: https://github.com/apache/airflow/blob/029c84e5527b6db6bdbdbe026f455da325bedef3/airflow/contrib/auth/backends/password_auth.py#L205
header = request.headers.get("Authorization")
if header:
userpass = ''.join(header.split()[1:])
username, password = base64.b64decode(userpass).decode("utf-8").split(":", 1)
Example usage:
https://github.com/apache/airflow/blob/7cba83333c5227ce37967c65d189a5e994898c68/tests/www/api/experimental/test_password_endpoints.py
response = c.post(
url_template.format('example_bash_operator'),
data=json.dumps(dict(run_id='my_run' + datetime.now().isoformat())),
content_type="application/json",
headers={'Authorization': 'Basic aGVsbG86d29ybGQ='} # hello:world
)
I am working with Prime Trust's API and I'm unable to create a JWT token. I am following the documentation which states the following:
Getting Started with the Custody APIs - (Sandbox Specific)
You need totake the current steps to get started via the APIs
Create a new User
Authenticate with the APIs by getting a JWT.
Create an Account.
Test Mode APIs - Approve the owner of the account for CIP and AML.
Test Mode APIs - Open an Account for Funds
I was able to create a user following the documentation, but I'm stuck on the creation of the JWT Token. According to the documentation I should create the token using the below:
JSON Web Tokens (JWTs)
JSON Web Tokens or JWTs are the preferred method of authentication for all requests besides actually generating a JWT. Since JWTs are not persisted server resources, they are not created using a JSONAPI style request or response.
Creating a new JWT
A new JWT can be created by passing a user's credentials using HTTP
Basic Authorization to the following endpoint. Any special settings on
the JWT such as IP whitelisting, expiration time or TOTP MFA must be
passed in as form values during creation.
POST /auth/jwts
Here's the example call they give:
curl --location --request POST "https://sandbox.primetrust.com/auth/jwts" \
--header "Content-Type: application/x-www-form-urlencoded" \
--form "expires_at=2019-06-06T07:30:40Z" \
--form "otp=382948" \
--form "cidr[]=192.168.1.213/32" \
--form "cidr[]=127.0.0.1/32"
I've tried a combination of different calls with the details outlined below, but have the below error on all of my attempts:
401 Unauthorized
{
"errors": [
{
"status": 401,
"title": "Not authenticated."
}
]
}
Bodies
POST https://sandbox.primetrust.com/auth/jwts
POST https://sandbox.primetrust.com/auth/jwts
{
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"data": {
"email": "email#email.com",
"password": "123abc"
}
}
POST https://sandbox.primetrust.com/auth/jwts
{
"name": "name",
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"id": {guid},
"name": "name",
"email": "email#email.com",
"password": "123abc"
}
POST https://sandbox.primetrust.com/auth/jwts
{
"id": {guid},
"password": "123abc"
}
Headers
Content-Type: application/json
expires_at: 2019-12-31T11:59:59Z
alg: HS256
typ: JWT
I recognize that my calls don't line up with the example call exactly, but my understanding from the documentation is that all that should be required is a name & password to generate the JWT token. What am I missing?
Update 1
Based on reaching out to Prime Trust support the username/email need to be included as parameters rather than in the body of the url. I tried the below URLs without success
https://sandbox.primetrust.com/auth/jwts?email=email#email.com&password=123abc&id={guid}
https://sandbox.primetrust.com/auth/jwts?email=email#email.com&password=123abc
https://sandbox.primetrust.com/auth/jwts?password=123abc&id={guid}
https://sandbox.primetrust.com/auth/jwts?name=name&password=123abc
According to docs:
Creating a new JWT
A new JWT can be created by passing a user's credentials using HTTP Basic Authorization to the following endpoint. Any special settings on the JWT such as IP whitelisting, expiration time or TOTP MFA must be passed in as form values during creation.
So basically all you need is create an Authorization header set to Basic Auth with your credentials:
curl -X POST \
https://sandbox.primetrust.com/auth/jwts \
-H 'Authorization: Basic YOUR_BASE64_ENCODED_EMAIL_AND_PASSWORD' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'cache-control: no-cache'
I Need API to stop the running application, after some search I've found this API
http://apidocs.cloudfoundry.org/263/apps/updating_an_app.html
if I want to test it with postman how can I obtain token and where should I put it inside postman ?
Edit
i've tried like following with postman
Put
https://[api]/v2/apps/211c82e2-7316-45b6-9ae6-1df4dzz74772/stop
Header
Authorization : bearer <token>
"Content-Type":"application/x-www-form-urlencoded"
I got error:
{
"description": "Unknown request",
"error_code": "CF-NotFound",
"code": 10000
}
Any idea?
To get the token you can run cf oauth-token from the CLI.
You can use that token in Postman by adding an 'Authorization' HTTP header.
E.g.
Authorization: bearer token_you_got_by_running_cf_oauth-token
I have tried using the /requests endpoint with my Uber developer account's owner and developer accounts, but I get this error:
401 unauthorized,
{
"message": "This endpoint requires at least one of the following scopes: request.delegate.tos_accept, request, request.delegate", "code": "unauthorized"
}
My HTTP call is as follows:
POST https://sandbox-api.uber.com/v1.2/requests
Headers:
Authorization: Bearer ACCESS_TOKEN_OF_MY_DEVELOPER_ACCOUNT
Accept-Language: en_US
Content-Type: application/json
Parameters:
{"start_latitude":"21.1741125","start_longitude":"72.8121804","end_latitude":"21.2048986","end_longitude":"72.8386455"}
Whereas I get proper response from /requests/estimate endpoint with the same access token, for the same location parameters.
Please help with this.
The problem is you have not requested the 'request' scope during the oauth authorization process.