Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 2 years ago.
Improve this question
I have created a Cloud Firestore database, with a collection and some documents. I want to make some requests to it with Postman, but I am not able to authenticate. I have created a service credentials and tried to get the token for the authentication, with no success. Any idea about how to get it?
Which is the endpoint to get the token?
Thanks in advance.
Assuming you are trying to use Firestore REST API you can obtain token with the following steps:
Create a key for service account that you configured to access Firestore.
Open Cloud Shell, copy json with key info into it, and activate service account with gcloud auth activate-service-account --key-file=<path_to_json>
Print and copy its access token with gcloud auth print-access-token
Add Authorization header with value Bearer <copied_token> to your request or add it as a request parameter to url with ?access_token=<copied_token>
Keep in mind that these tokens are short-lived and are valid maximum for an hour.
Related
I’m using Kubernetes Dashboard and can log into it with a Service Account Token, which is created according to the docs.
All works technically well and I can view my cluster resources as expected.
As a user of Bitwarden for password management, I expect that I can store my token in the vault as a normal password and autofill it the next time I return to the Dashboard.
However, because of the hard cap on password length in Bitwarden, an attempt to store my token there fails:
Although the problem generally lies on the Bitwarden side, I’m wondering if it can be solved within Kubernetes. It would be great if it was possible to generate a Service Account with a shorter token if that’s theoretically allowed.
I tried editing my Service Account Secret by naively cutting the token in half, but the trick did not work – I started getting 401 response in the Dashboard Login form. Not a big surprise.
So my question is: how can one create a Service Account Token that would be, say, 500 characters long instead of about a thousand? Being able to do that can improve the user experience for me and other users of Bitwarden and should probably not affect cluster security too badly.
This question already has answers here:
Using Custom Tokens to make REST requests to FB DB as an admin
(2 answers)
Closed 6 years ago.
I would like to authorize an user in firebase. I am using a poor JavaScript so I must generate a JWT token on my own but I don't know where put a username and password before create token. How the object should look like?
When you mint a custom token for Firebase, you write a set of claims about the user in JSON format:
{
"uid": "myprovider:5764416",
"displayName": "Grajek",
"provider": "myprovider"
}
You then sign this object with your Firebase Secret, which ensures it can only be decoded by someone who also has that secret (such as the Firebase servers).
This is a jsfiddle to generate such a token: http://jsfiddle.net/firebase/XDXu5/ . Be careful not to share your Firebase Secret with anyone accidentally, as that is the key to your kingdom. Well... at least to the data in your Firebase backend.
So you don't specify a username and password anywhere. Instead you make a few claims about your user and sign them with a value that only you (should) know (the Firebase Secret).
It's like you're saying "I, myprovider, assure you that the following claims are true about this user".
We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.
It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh
I'm working on my own project (mostly for education) and I need to create authentication & authorization mechanism for my REST service.
I've read a few articles & some good answers here, but i still can't understand the process completely. So from my point of view the simple process of authentication & authorizationshould look simething like this:
User enters login and password in the web browser. But is it safe to pass credentials as regular parameters in the url? Even after client-side encryption.
If valid credentials were passed REST service returns some token, which is unique for each user. This token should be passed in http header for every request and define user permission (i assume SSL is mandatory in this case). But where user should store this token? Is is approach safe?
Each request should be passed through filter that compares user permission (fetched from token in header) and resource permission. In case access should be denied 401 error will be returned.
So that's how I see solution, but it doesn't seems secure and reliable so far. Any corrections/advises/suggestions/links ?
Thanks in advance for everyone!
Okay, I've spent some time investigating my problem and here is the solution i found
Thanks to Suketu for comment! Credentials could be passed in the url using POST & HTTPS.
It's ok to add custom token to every request, but also cookie-based auth is acceptable. What about my question: there 2 types of HTML5 Web Storage
1) window.localStorage - stores data with no expiration date
2) code.sessionStorage - stores data for one session (data is lost when the tab is closed)
Useful links
If you want to get more information about cookie-based vs token-based auth you can dive into AngularJS article (https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/)
IMHO good question of how to generate tokens & related questions (https://security.stackexchange.com/questions/19620/securing-a-javascript-single-page-app-with-restful-backend)
A guide for web storages (https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Storage#localStorage)
And a guide for java developers how to create REST service auth(http://howtodoinjava.com/2013/06/26/jax-rs-resteasy-basic-authentication-and-authorization-tutorial/)
UPDATE
A little bit more up to date article about auth with jax-rs 2.0 and jersey (http://www.theotherian.com/2013/07/creating-resource-filters-with-jersey.html)
Hope this will be helpfull for someone :)
This question already has answers here:
OAuth2.0 Server stack how to use state to prevent CSRF? for draft2.0 v20
(3 answers)
Closed 5 years ago.
I've implemented Google OAuth2 login for different Google services a couple times now, but never really thought about how the state token can be abused if no session token is included.
I understand the principles of CSRF and I've implemented my OAuth2 flows as described in https://developers.google.com/accounts/docs/OAuth2Login (with session token in the state token), I just don't see how an attacker can abuse this if the session token is not present.
Maybe it's related to what I do after a successful response from the Google consent page (I obtain refresh + access token, store them to a user specified in the state token and redirect to another page also specified in the state token), but how is it a problem otherwise?
I saw this answer in a related question, which explains how a CSRF attack can be done (and how the state token prevents it): https://stackoverflow.com/a/23640462/736247