I'm making a request to WSO2-AM to get the OAuth Token to access the api published in the API Manager on behalf of the user. Everything is working with the big string returned in access_token but I'd like to use the short one version, probably encoded.
Request:
curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' -u
<consumer-key>:<consumer-secret> -k -d
'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<id_token>'
https://<apim>:8243/token
Response:
{"access_token":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBe
lpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05
tTkRjeE5HWXd....bZ-CD_r-2qkypeER7f8QMrLpozRipgHeCkpIKXx5PzSM6zBq5VjMW4EXSRg7LSu0JAJfD2UD6H4bqAiZPNiGy9vTLXc
Zr4g8WNzfKkr...
-hiAOt4SauSZxB1WWCFEZ0xyHVhbx7nAFzBVzfssF0DOYGXkc9hRJZGbG8VfiXb6PWtSfEjqJTSSY_aZWXw",
"refresh_token":"d3062fa0-1132-3532-b1b2-83c3c66136ff","token_type":"Bearer","expires_in":3600}
Expected:
{"access_token":"400f2a54-53d8-3146-88e3-be1bf5e7450d",
"refresh_token":"c2656286-449f-369f-9793 2cee9132de9f",
"scope":"default","token_type":"Bearer","expires_in":3600}
What I'm doing wrong that is not returning the short one?
I assume, that the expected by you access_token is the Opaque(Reference) Access Token, described in this WSO2 API Manager 3.1.0 documentation: Secure APIs using OAuth2 Opaque(Reference) Access Tokens.
But, according to the Release notes, from WSO2 API Manager 3.2.0, they removed this type of access token:
Out-of-the-box support to generate an opaque access token via the Developer Portal has been removed. Application Developers can create applications that only generate a JWT type access tokens.
So, the big string, you get is nothing more, like this JWT token, described here in documentation: JWT (Self Contained) Access Tokens, which you can decode on jwt.io site.
You can decode your long JWT from https://jwt.io/ and get the JTI value of it as the short one which will look similar to 400f2a54-53d8-3146-88e3-be1bf5e7450d.
Refer to the example shown below.
.
As you were referring to the short token. It is the opaque token and APIM 3.2.0 It is not shown while you creating the Application. You can get the default Token (opaque) By the WSO2 carbon management console.
Change Token Issuer to Default from JWT in ISP list for particular Application that you need to use.
enter image description here
Where I am generating opaque (Short) Token in APIM 4.0.0
enter image description here
Related
Added a custom claim by navigating to WSO2 v5.11 IS console and navigating to Claims -> Add -> Add Local Claim. as shown below
New User created in WSO2 and profile updated with custom claims as shown below
Invoke published end point from Java client to get the JWT Token from request headers as shown below.
jWTToken = httpRequest.getHeader("X-JWT-Assertion");
JWT Token retrieved successfully from request headers.
After decoding the token we are seeing only default claims not the custom claims.
We are expecting the JWT token should return custom claims along with default claims.
Is there any configuration required in WSO2 5.11.0 to get the custom claims with JWT token?
Environment
WSO2 IS 5.11.0
WSO2 API Manager 4.1.0
Expectation
JWT Token should return custom claims
If you want to add the custom claims to your generated JWT tokens, you need to mark the claims in the service provider configuration as mandatory of the particular application you are using to generate the token.
Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.
Then you need to add the openid scope when invoking the token endpoint.
curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token
Refer https://apim.docs.wso2.com/en/latest/design/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.
Then the custom claim will be added to the token, and will be passed to the generated backend JWT token as well.
I am trying to upload file from local to GCP bucket through cloud storage Rest API (https://storage.googleapis.com/upload/storage/v1/b) using Postman.
I am using Bearer Token for authorization and running $(gcloud auth print-access-token) command on GCP Shell to generate that token every time.
I need to know, how to auto generate that token from Postman while sending request ?
Is there any way to execute $(gcloud auth print-access-token) every time as a Pre-request Script within Postman ?
Thanks
I'm not very good with postman, but I think you can run pre-request to get token and reuse it in the subsequent request.
If so, you can get inspiration from the gcloud auth print-access-token command by adding the --log-http param to visualize the request performed by the CLI and to reproduce them in Postman.
EDIT 1
If you perform the request, you can see that a post is performed to this URL https://oauth2.googleapis.com/token
To reproduce the call, you can try with a curl
curl -X POST -d "grant_type=refresh_token&client_id=32555940559.apps.googleusercontent.com&client_secret=ZmssLNjJy2998hD4CTg2ejr2&refresh_token=<REFRESH_TOKEN>&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth" https://oauth2.googleapis.com/token
In this call, you need your REFRESH_TOKEN, that you can get here
cat ~/.config/gcloud/legacy_credentials/<YOUR EMAIL>/adc.json
Google Cloud Storage requires authentication as other Google APIs and one of the authentication way is providing bearer token. These bearer tokens are short lived and require regeneration.
So there are 3 ways to generate bearer tokens so you can interact with Google Storage API or other Google APIs using Postman:
Using oauth2l CLI ( Manual Regeneration of new bearer token and update of Authorization header with the new token)
This oauth2l CLI utility allows you to generate bearer tokens which can be pasted into the Authorization header in postman. You can use
Configuration of Postman with OAuth 2 and User Credentials ( Tokens can be managed via the Postman UI and expired ones cleaned up at the click of a button)
Postman can be configured to trigger the OAuth 2 flow and use a generated bearer token in all of the requests. But please make sure that all users have the correct permissions in the Google Cloud Platform project.
You will need to create OAuth 2 credentials in Google Cloud Console:
Go to APIS and Services
Then go to Credentials tab
Click on Create Credentials
Select OAuth Client ID
Fill the fields to create OAuth Client ID ( also add an Authorized redirect URI however this doesn’t need to resolve to anywhere).
The Client ID and Client Secret need to be saved in your machine.
Use Postman’s environment variable functionality to use different credentials per environment/project. In Postman create a new environment for your credentials using the cog icon at the top right.
Configure the variables accordingly: AUTH_CALLBACK_URL , AUTH_URL, AUTH_CLIENT_ID, AUTH_CLIENT_SECRET, AUTH_ACCESS_TOKEN_URL
This variable should be identical to that defined in the OAuth 2 Client ID creation menu and should be one of the following : AUTH_SCOPE
Once defined, these variables can be used in your Authorization tab in Postman. This can be configured at the collection level, the folder level or even the individual request level.
To Regenerate the Token, you can go to Authorization Tab and click on GET NEW ACCESS TOKEN
Configuration of Postman to use a pre-request script and service credentials (The pre-request script automatically regenerates the bearer token when it expires)
For this please check this Tutorial to follow the steps provided there.
I need to run google storage API which needs a Bearer token.
Can somebody please tell me how to generate bearer token from service account JSON file.
note that I have to use REST API only. I cannot use any java library etc.
I am trying to get a secret out of Azure Key Vault. It is a very simple Restful API call. For example for all key, it is as simple as this:
GET {vaultBaseUrl}/secrets?api-version=7.0
where vaultBaseUrl is provided in Azure Console as Vault DNS name.
I am using console mode for testing
https://learn.microsoft.com/en-us/rest/api/keyvault/getsecrets/getsecrets#code-try-0
But the return value if always 404.
When I try curl in the Azure console, it gives 401 - Unauthorized.
However I can use the command line to get the secret out.
Is there any secret to making the restful call and curl work to get the secret out? All these situations use the same credentials.
A side questions is, that on the micorosft api testing page there is a 'Request Preview' section with a green Run button, almost as if it is inviting you to run the api, but the link is to learn.microsoft.com and the copy button on the box is disabled. I have never seen so many problems in one place, so I am thinking may be I don't understand something here.
The doc seems not to be correct. If you want to get the secret, you could use the Client credentials flow to get the access token and use it to get the secret.
Follow the steps as below.
1.Register an app in the Azure Active Directory, see this link. Get the application id and key, see this link. Add the service principal in the Access policies in your keyvault with the correct secret permission(just search the name of your AD App then add it).
2.In the postman, send a request to the url
POST https://login.microsoftonline.com/{your tenant id}/oauth2/token?api-version=1.0
Request body and complete sample(client_id and client_secret are the application id and key in step 1):
3.Copy the access_token in step 2, then use it as an Authorization token to call the api:
GET https://yourkeyvault.vault.azure.net/secrets?api-version=7.0
Besides, if you want to use CURL to get the secret, try the one like below. The TOKEN is the same with the access_token in step 2 above.
curl -X GET -H "Authorization: Bearer [TOKEN]" https://yourkeyvault.vault.azure.net/secrets?api-version=7.0
For more details about getting access_token via curl and complete steps, you could refer to this link. Don't forget to change the resource to https://vault.azure.net in the Request the Access Token step.
Pass Bearer token.There will be an Url to generate a token and pass it to authentication then u will donot get the error.
I am using the Swagger OpenAPI 3.0.2 version for describing my API.
I built swagger-codegen 3.0.5 snapshot from the Swagger gihub repo.
I want a Java client that will obtain the OAUTH2 token for a grant type of client_credentials. I want client credentials because this is one machine talking to another, I am not asking a user for their credentials. I have the following bit in my spec file:
securitySchemes:
oAuth2ClientCredentials:
type: oauth2
description: Standard OAUTH2
flows:
clientCredentials:
tokenUrl: my_token_url
scopes: {}
security:
- oAuth2ClientCredentials: []
I want a Basic Authentication header with the client ID and the client secret in the standard base64 encoding with the grant_type as a URL encoded form. This is pretty standard OAuth2 authentication.
I seem to sometimes get code for the OAuth authentication and sometimes not. The python library has nothing for OAuth other than me proving the access token by hand. The Java library doesn't have it unless I ask for retrofit as the base library, but it generates a Bearer Authentication header, rather than a Basic Authentication Header. Retrofit2 doesn't even work, the handlebars template has an illegal character in it that handlebars barfs on.
So what do people do to get their access tokens when they have a client ID and a client secret? Do you craft the code to get the access token by yourself? Or is there some magic way of getting swagger-codegen-cli to generate the code for me, depending on the libraries that I use?
If anyone has managed to get swagger-codegen-cli to generate everything they need for OAuth 2 client credentials with an OpenAPI 3.0 specification, please let me know.