How to get the response body during a Selenium UI test run - rest

Scenario: Grab the authToken after a login.
Pseudo code | Steps :
Login via UI ( selenium )
grab the authToken via Rest.
Note :
I know how to do this completely via RESTassured or Postman but what would be a good approach to handle this during an automated UI test run.
It's easy to do it manually via Chrome Dev tools but using Java - it's a little bit challenging.
Any help would be nice.

If you have the auth token in the cookie then you can use the below.
# update auth_token below with the correct cookie name
authToken = driver.get_cookie('auth_token')['value']

You can fetch out the token value from the client side. It can be in cookies, local storage or the session storage
Check these value in browser. Open developer tool -- Go to application tab and on the left menu u can find these values for each website
or
Try following js command in the browser console
window.document.cookie
window.localStorage
window.sessionStorage
if u can find your token via any of the above js command , use can use them in selenium.

Related

What is the workflow for a basic Auth OIDC with Keycloak

I have keycloak on docker (v20.0.2) and as you know some versions change some or good part of the UI, so is hard to follow tutorials around the web...
I am trying to follow this particular tuto
https://developers.redhat.com/blog/2020/11/24/authentication-and-authorization-using-the-keycloak-rest-api#keycloak_sso_demo
that seems the more updated. My keycloak is actually behind traeffic and thomseddon/traeffic-fordward-auth with a docker-compose file (but the connection through traeffic is good and I have acces to admin UI)
So on step 10 of the tutorial things change for me, I have to look for that particular view inside:
Click on lateral menu Client Scope
Click on button Create client scope
Give a name to the scope, and click on Tab Mapper
All mappers are predefined... so there is no "New mapper" don't understand this bit
then just follow the tuto
With that series of steps I get an error when retriving the token...
https://keycloak:8443/realms/education/protocol/openid-connect/token
enter image description here
(this are fake local data from the realm I created for testing)
that responds with a or something similar I have also tried to change the grant_type to password, and the same happens can not query the token....
{
"error": "invalid_client",
"error_description": "Invalid client or Invalid client credentials"
}
But if I do not link a user with an scope/role as in the tuto suggest then I get the token, but of course I want to use the role or scope to limit who can see which endpoint and who can not
Any step that I'm missing from this update, do you have the same error?
Thank you in advance
I have tried to run it with different combinations of options to see if there is a toggle that actually allows me to fetch the token
Also with different types of grant_type
I will build an API in Python (I don't know Java and prefer Json instead of XML) that connect to this keycloak to allow users or not based on their scope/role/permission or something
I need to be able to block user so if user Student try to access an url from another Student he get blocked that url. So is based on the role or scope or I don't know which is prefered or easer to accomplish, the mission is to block users or not based on a factor that could be used for this in keycloak.

Keycloak URL fragments do not disappear when logged in

Keycloak inserts session_state, state and code in url fragment params.. sometimes after successful login these remain on the url...
Or, when alternate routes are clicked in the app, these appear again.
Unnecessarily exposing the internals of keycloak params to users.
Is there some solution to not have these appear or delete them?
e.g. http://localhost:3000/home/#state=e625140e-c4f9-4500-858e-32c80e89f8a9&session_state=445229c3-d7eb-46e9-bfba-3339253dd17e&code=af0abde4-a60d-4f34-a101-8db5c76546b9.445229c3-d7eb-46e9-bfba-3339253dd17e.59915134-a59b-4ffb-878a-d02e7e84f2dd
Update:
with more tests narrowed down the issue to occur when
anything on the keycloak instance is touched. e.g. keycloak.token
any function call of keycloak is invoked... then after that these params get added and removed for every url route thereafter...
e.g. await keycloak.updateToken()
Keycloak Sever and js lib Version : 9.0.2
It is not a Keycloak issue. That's how used login flow works (maybe you need different flow, which will be more suitable for your use case). Your app code (used OIDC/OAuth library) should "clean" URL fragments. Cleaning can be: exchange code for the token (in this particular case), remove URL fragments, clean browser history, etc.

Facebook Javascript API "This authorization code has been used" on quick screen refresh (F5 or COMMAND+R)

I'm using the Facebook Javascript API for login in conjunction with the official Facebook PHP SDK on my server to execute the two following lines of code:
$helper = $fb->getJavaScriptHelper();
$accessToken = $helper->getAccessToken();
With the token, I'm further able to execute this code which gets the necessary details I need on the server:
$fb->setDefaultAccessToken($accessToken);
$response = $fb->get('/me?locale=en_US&fields=name,first_name,last_name,email,gender');
If I refresh the webpage I'm working with and let it fully load everything works correctly and I'm able to print to screen all of the details I get back in $response.
The problem I'm having, however, is that if I quickly refresh the screen (either by hitting F5 on Windows machines or COMMAND+R on Macs) before the Facebook javascript code executes I get the following thrown error from the Facebook API:
"This authorization code has been used"
How do I avoid this? Do I wrap the Facebook code on the client side in a jQuery document ready function? I hesitate to do that because I've been told that the Facebook Javascript code is good to go as a stand-alone script that is intelligent enough to know when the document is loaded.
I'm about ready to throw in the towel and just code a manual login process that totally bypasses the Facebook Javascript API. Thanks for your help.
Put the access code into a $_session['access_token'] and then redirect to another page to get the data.
Login Page
Callback Page (save into the session variable)
Working Page (work with the session variable)
See more: https://benmarshall.me/facebook-php-sdk/#example-login

Throwing 404 error with the authoriseUrl generated from GetRefreshToken

I am trying to create a sample project which consumes DFP services.
Till now :
Still in authentication part :
a) Successfully created clientId, while creating new Client Id have checked installed apps options in the Google developer console.
b) Added the clientId, clientSecret to ads.properties .
Note : Took dfp-axis-jars-and-examples-2.2.0.tar and making my changes in it[by importing project in IDE].
c) I ran into trouble while trying to paste the authoriseUrl in the browser after running GetRefreshToken.
Please find below the error :
"The redirect URI in the request: urn:ietf:wg:oauth:2.0:oob can only
be used by a Client ID for native application. It is not allowed for
the 'WEB' client type. You can create a Client ID for native
application in the Credentials section of the Google Developers
Console."
I believe I have selected the wrong applicationType while creating new ClientId .
Appreciate inputs .
The above answer did not make much sense at first glance but, I have resolved this issue by simply setting a value for redirectUri. So inside of my GetRefreshToken.php file
$redirectUri = "http://same_url_as_the_one_listed_in_console";
After closing looking at the authoriseUrl, it seemed I was sending the wrong redirectUrl.
I forgot to copy paste the redirectUrl generated from the creation of client id in the GetRefreshToken callback property:
private static final String CALLBACK_URL = "https://www.example.com/oauth2callback";//"urn:ietf:wg:oauth:2.0:oob";
No error now :).

WebClient.UploadData error: (401) Unauthorized

I'm getting this error... What is puzzling me is the fact that i do not have any type of security enabled for the page i'm invoking...
WebClient myWebClient = new WebClient();
myWebClient.UploadData(myUrl,"POST", myByteArray);
When i access directly to the page ( on ie ) it works fine, with the WebClient it's not working.
Anyone has a clue on what can be wrong?
IE supports integrated security, which will use your current login credentials as the username and password, so you don't have to manually enter it.
If you are using IE, use Firefox and see if you are prompted for a username and password. Or, in IE, you can go to Tools, Options, Advanced, and uncheck Integrated Windows Authentication.
Most likely, you'll have to configure the web application to support anonymous access, or you'll have to implement security in your WebClient.
If you are struggling to get to the bottom of it Fiddler might shed some light. You will have to manually edit your code to go through the Fiddler proxy, but once that's done you can compare the IE result to the code one.