Configuring Keycloak through its REST API with cUrl - rest

I need to configure Keycloak to get a JWT token as in this blog post, but I have to do it with cUrl. They create a client and then update it setting access type to confidential, Direct Grant Flow to direct grant, and Browser Flow to browser. The PUT request from the web UI that does this has some uuids that they seem to have pulled out of nowhere. Here is the relevant part of the payload:
"authenticationFlowBindingOverrides":{"browser":"6d77c4c7-15cf-4474-9b9f-7439dbc83b83","direct_grant":"5cb10cdb-9902-4f7f-b9da-68f887c49a75"}
The docs for the ClientRepresentation are no help. They show all fields are optional, which doesn't make sense, and the authenticationFlowBindingOverrides is a Map, but the link in their docs for the Map is dead.
Does anyone know where they get the uuids for browser and direct_grant from?
There is also nothing in the PUT payload that sets the Access Type to confidential.
If anyone has a cUrl implementation of the UI steps in the blog post that would be greatly appreciated.

The PUT request from the web UI that does this has some uuids that
they seem to pull out of nowhere.
Those uuids are generated by keycloak to get them you need to call the endpoint:
GET KEYCLOAK_HOST/auth/admin/realms/<YOUR_REALM>/authentication/flows
From the JSON response you need to parser it and get the field id of both the alias: "browser" and the alias: "direct grant".
After that call the endpoint:
PUT KEYCLOAK_HOST/auth/admin/realms/<YOUR_REALM>/clients/<YOUR_CLIENT_ID>
with the following payload:
'{"publicClient":false,"clientAuthenticatorType":"client-secret","authenticationFlowBindingOverrides":{"direct_grant":"<DIRECT_GRANT_ID>","browser":"<BROWSER_ID>"}}'
There is also nothing in the PUT payload that sets the Access Type to
confidential.
You need to set the field publicClient to false.

Related

How to generate/retrieve token from Cybersource Secure Acceptance API?

I have attempted to use the provided test data from the Cybersource documentation to create a token for a test PAN. However, when attempting to do so (assuming it was a REST Api) it results in a "403 - Forbidden" error. The documentation is limited, as it doesn't give much information on the API other than the following:
(Test) Endpoint: https://testsecureacceptance.cybersource.com/silent/token/create
Request to create a standalone payment token:
reference_number=123456789
transaction_type=create_payment_token
currency=usd
amount=100.00
locale=en
access_key=e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id=0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid=02815b4f08e56882751a043839b7b481
signed_date_time=2013-07-11T15:16:54Z
signed_field_names=comma separated list of signed fields
unsigned_field_names=comma separated list of unsigned fields
signature=WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method=card
card_type=001
card_number=4111111111111111
card_expiry_date=12-2022
card_cvn=005
bill_to_forename=Joe
bill_to_surname=Smith
bill_to_email=joesmith#example.com
bill_to_address_line1=1 My Apartment
bill_to_address_city=Mountain View
bill_to_address_postal_code=94043
bill_to_address_state=CA
bill_to_address_country=US
Is this a REST or SOAP API? How can this be tested in Postman? I tested to check if either works, and was unsuccessful. There is no information on what to include in the header either, so this is a bit puzzling.
Example POST test I am attempting:
POST https://testsecureacceptance.cybersource.com/silent/token/create
Content-Type:application/json
Accept:application/json
{
reference_number:123456789
transaction_type:create_payment_token
currency:usd
amount:100.00
locale:en
access_key:e2b0c0d0e0f0g0h0i0j0k0l0m0n0o0p3
profile_id:0FFEAFFB-8171-4F34-A22D-1CD38A28A384
transaction_uuid:02815b4f08e56882751a043839b7b481
signed_date_time:2019-03-07T06:16:54Z
signed_field_names:profile_id,access_key,transaction_uuid,signed_field_names,unsigned_field_names,signed_date_time,locale,transaction_type,reference_number,auth_trans_ref_no,amount,currency,card_type,card_number,card_expiry_date,card_cvn,payment_method,bill_to_forename,bill_to_surname,bill_to_email,bill_to_address_line1,bill_to_address_city,bill_to_address_postal_code,bill_to_address_state,bill_to_address_country
unsigned_field_names:
signature:WrXOhTzhBjYMZROwiCug2My3jiZHOqATimcz5EBA07M=
payment_method:card
card_type:001
card_number:4111111111111111
card_expiry_date:12-2022
card_cvn:005
bill_to_forename:Joe
bill_to_surname:Smith
bill_to_email:joesmith#example.com
bill_to_address_line1:1 My Apartment
bill_to_address_city:Mountain View
bill_to_address_postal_code:94043
bill_to_address_state:CA
bill_to_address_country:US
}
"Is this a REST or SOAP API?"
The URL, https://testsecureacceptance.cybersource.com/silent/token/create, is used for Secure Acceptance Checkout API. Secure Acceptance Checkout API is neither a SOAP API or a REST API. It is designed to be used as an HTML form POST from a customers browser.
If your goal is to use a REST API from the browser then you will want to use Secure Acceptance Flexible Token documented here.
If your goal is to use Secure Acceptance Checkout API the full documentation for that is here.
"How can this be tested in Postman?"
Since this is not meant to be a REST API call but an HTML form POST and HTML response you may have limited success with Postman. For example even if you get the request to work successfully the response will be an HTML document not JSON.
One problem I see is that you are using the example signature, and that will not work for you. Ensure that you follow the documentation on how to create your signature as well as set the signed and unsigned fields.
#J.J. - the error you encountered -- "This field is invalid or missing.Please contact Customer Support.: ots_profileid' ". Is telling you that you are missing (or have an invalid) profileID in your request payload. The system doesn't know what profile to use when processing this request.

Understanding AWS API Gateway with HTTP Proxy

I am new in API gateways. I have python based API deployed on an EC2 server. I can access this as URL http://xxx.xxxxxxx.com/RPC2/. I can see objects, methods in this URL. I am trying to use API gateway for same.
Created API. (ExampleAPI)
Created POST method. (given path http://xxx.xxxxxxx.com/RPC2/ as end point URL ). I have not created the resource since I am expecting HTTP Proxy for all Methods of the resource. Its looks fine when I put my content in the request body. I get a response.
Now I have deployed it to one stage dev1. Got a new endpoint URL.
Also created an API key and attached it with dev1. Also Set API key required true in POST Method Request.
Questions.
1. When I hit dev1 URL (https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1), it does not give me same page as http://xxx.xxxxxxx.com/RPC2/. It gives me {"message":"Missing Authentication Token"} error. Am I missing some fundamentals here?
http://xxx.xxxxxxx.com/RPC2/ do have several methods, so how can I use it? All of them are POST methods. Can I set some parameters or some request body, or some templates? How can I improve this process?
How can I use API key here? Or it won`t work in POST method?
If i do curl -H "Content-Type: application/JSON" -X POST -d "{\"method\": \"app.menu\",\"params\":[] }" https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1 i get same response as i curl http://xxx.xxxxxxx.com/RPC2/. is it the only way to access my dev1 URL or I can create individual methods or string parameters.
Regards,
Ashish
See answers posted to this forum:
When i hit dev1 URL (https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1), it do not give
me same page as http://xxx.xxxxxxx.com/RPC2/. It gives me
{"message":"Missing Authentication Token"} error. Am i missing some
fundamentals here ?
If you are hitting the URL in a browser with a GET method, it will not
work. You have to specify all of the HTTP methods on a resource that
you want the client to access. If you hit a method that is not
defined, you get that message.
http://xxx.xxxxxxx.com/RPC2/ do have several methods, so how can i use it? all of them are POST methods. Can i set some parameters or
some request body, or some templates. how can i improve this process.
Yes if you are mapping to an RPC API then you can build the REST
methods/resources in API Gateway and set a static value for the header
or in the body, wherever the RPC action is expected by the backend.
How can i use API key here? or it won`t work in POST method? Because while accessing from curl, it works fine without API key.
First you should set API Key Required on the method (Method Request
page), then you'll have to add the API Stage to the API Key and make
sure it's enabled. After all that, if you send the API Key in a header
called 'x-api-key' it should work, otherwise you should get a 403
response saying "Forbidden".
If i do "curl -H "Content-Type: application/json" -X POST -d "{\"method\": \"app.menu\",\"params\":[] }"
https://xxxxxxxxxxx-api.us-east-1.amazonaws.com/dev1" i get same
response as i curl http://xxx.xxxxxxx.com/RPC2/. is it the only way to
access my dev1 URL or i can create individual methods or string
parametrs.
You will have to create each method in API Gateway (like GET) and they
can all point to the same backend url but specify a different RPC
action in the header or wherever it is specified.
I'd encourage you to check the public developer guides for parameter
mapping and payload transformation to learn what tools we have in API
Gateway.

silhouette rest seed : how to use a social provider?

https://github.com/merle-/silhouette-rest-seed
I am trying to use this as I don't want to use the scala.html template files, and this seemed to do exactly what I wanted. I can CURL to create a user and get a token, but I don't know what to do with the redirects when trying to authenticate with a social provider, such as Facebook. There don't seem to be any instructions, either. Any help would be appreciated.
The readme gets you to the point where you have signed up a user and with the credentials POST retrieved the X-Auth-Token.
After a little debugging you will submit a POST request to the auth/link route to associate the user with the returned X-Auth-Token with a social provider as in:
http :9000/auth/link/facebook 'accessToken=xxxxx' X-Auth-Token:tokenfromearlier
Note the syntax of httpie is specific and must use = for json and : for headers. You obtain accessToken from here: https://developers.facebook.com/tools/access_token/
This will return the following JSON:
{
"message": "link with social completed!",
"status": "ok"
}
Not yet sure how to accomplish the next step which is to invoke the
/auth/signin/facebook POST route as this requires the ID of the provider and I am still figuring out the fb graph access approach.

Facebook server-side OAuth 2.0 on localhost:8080 can't get access token missing redirect_uri

There are many other question related to this, but they didn't help me fix my problem.
I'm using the Facebook server-side login for a website, which I want to test locally. The path that initiates the login action is [http://localhost:8080/fblogin] (this redirects to the Facebook login dialogue, and goes from there).
I can successfully get the code, but when I try to exchange that for an access token, I get the following error:
{"error":{"message":"Missing redirect_uri parameter.","type":"OAuthException","code":191}}
I am providing the redirect_uri, url encoded and it is the same as the one I use to get the first code. Here is the url I'm using to request the access token (with the all-caps query string parameters replaced with their actual values, of course):
https://graph.facebook.com/oauth/access_token?client_id=CLIENT_ID&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Ffblogin&client_secret=CLIENT_SECRET&code=CODE_FROM_FB
I suspect this might have to do with how my app is set up on Facebook. Here are the values I have set:
Display Name: (an actual display name here)
App Domains: localhost
Contact email: (an actual email here)
Site URL: [http://localhost:8080/fblogin]
What do I need to tweak in the settings to get this to work? Or does this look correct?
By the way, if it makes any difference, I am using the Play! framework, version 2.0.1
After digging around a little more, I found that it was necessary for me to use POST when sending the request from my server to get the access token.
Interesting that using POST worked for you as this didn't for me.
In any case, did you add the query parameters using setQueryParameter()? (see How to make multiple http requests in play 2?)

Place API key in Headers or URL

I'm designing a public API to my company's data. We want application developers to sign up for an API key so that we can monitor use and overuse.
Since the API is REST, my initial thought is to put this key in a custom header. This is how I've seen Google, Amazon, and Yahoo do it. My boss, on the other hand, thinks the API is easier to use if the key becomes merely a part of the URL, etc. "http://api.domain.tld/longapikey1234/resource". I guess there is something to be said for that, but it violates the principle of the URL as a simple address of what you want, and not how or why you want it.
Would you find it logical to put the key in the URL? Or would you rather not have to manually set HTTP headers if writing a simple javascript frontend to some data?
It should be put in the HTTP Authorization header. The spec is here https://www.rfc-editor.org/rfc/rfc7235
If you want an argument that might appeal to a boss: Think about what a URL is. URLs are public. People copy and paste them. They share them, they put them on advertisements. Nothing prevents someone (knowingly or not) from mailing that URL around for other people to use. If your API key is in that URL, everybody has it.
It is better to use API Key in header, not in URL.
URLs are saved in browser's history if it is tried from browser. It is very rare scenario. But problem comes when the backend server logs all URLs. It might expose the API key.
In two ways, you can use API Key in header
Basic Authorization:
Example from stripe:
curl https://api.stripe.com/v1/charges -u sk_test_BQokikJOvBiI2HlWgH4olfQ2:
curl uses the -u flag to pass basic auth credentials (adding a colon after your API key will prevent it from asking you for a password).
Custom Header
curl -H "X-API-KEY: 6fa741de1bdd1d91830ba" https://api.mydomain.com/v1/users
passing api key in parameters makes it difficult for clients to keep their APIkeys secret, they tend to leak keys on a regular basis.
A better approach is to pass it in header of request url.you can set user-key header in your code .
For testing your request Url you can use Postman app in google chrome by setting user-key header to your api-key.
I would not put the key in the url, as it does violate this loose 'standard' that is REST. However, if you did, I would place it in the 'user' portion of the url.
eg: http://me#example.com/myresource/myid
This way it can also be passed as headers with basic-auth.