Currently, I can able to connect with strophe by giving jid and password in Angular project. But by giving jid and password is not safe. Instead of giving jid and password, is there any other way like JWT simple authentication? Ejabberd is hosted in local system with Windows OS.
I am looking for token based login.
this._xmppConnection = new Strophe.Connection("http://localhost:5280/bosh/", { 'keepalive': true });
this._xmppConnection.connect(jid, password, this._onConnect);
// working one
I am looking for connecting strophe using JWT token. Is there such support in ejabberd?
#sahal You can achieve that using other mediums of authentication eg. OAuth token
Generate OAuth token for user using ejabberd api.
endpoint: /api/oauth_issue_token
sample: curl -H "X-Admin: true" -X POST -u admin_jid:pass -d '{"jid": "user_jid", "ttl": 3600, "scopes": "connected_users_number;sasl_auth"}' http://ip:port/api/oauth_issue_token
While creating strophe instance pass option mechanisms as [Strophe.SASLXOAuth2]
While connecting replace password with your oauth token eg. connection.connect(jid, ejabberd_oauth_token)
Related
I want to connect to SharePoint by using username#company.com and password instead of client id and client secret. Do I need to get any authorization for my ID? If yes, how to get? I know the process for fetching authorization for client ID and client secret.
In this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/user.aspx
I add my user id and password with permission levels as "Full control".
But in this URL: https://{tenant}.sharepoint.com/sites/{sitename}/_layouts/15/appprincipals.aspx
I am able to see only client id and client secret. Not my user id.
When I send POST request using Postman it is giving me "error": "unsupported_grant_type".
Postman Inputs:
POST https://accounts.accesscontrol.windows.net/{tenant_id}/tokens/OAuth/2
Headers
Content-Type : application/x-www-form-urlencoded
Body (x-www-form-urlencoded)
grant_type: password
username: username#company.com
password: password
resource:00000003-0000-0ff1-ce00-000000000000/{tenant}.sharepoint.com#{tenant_id}
SharePoint rest api does not support "Password Grant Flow". You can either use "Client Credentials Flow" or "Implicit Flow".
If you want to allow users to use their username & password, Use implicit flow.
NOTE: User will always require to sign in to get access token. You can not simply pass username and password with post request.
Here is the complete guide for configuring azure ad app for implicit flow : https://frankchen2016.medium.com/how-to-access-the-spo-rest-api-using-implicit-authentication-flow-40d65750554f
As a newbie of Keycloak, I try to configure a client with a "Password" grant type. I know that this is not the preferred solution in most cases.
I created a realm 'realm2' with a client 'myclient2' and a user.
When trying to get the token with Postman, I get this error:
{
"error": "unauthorized_client",
"error_description": "Client secret not provided in request"
}
When I add the client_secret, I get the token. I tried to provide a username and password and no secret.
Via the Keycloak user interface I can also login as 'johan' in the 'realm2'.
This is my request in Postman:
In Keycloak I configured the 'realm2' with no special properties set:
The client 'myclient2' is:
I can see on the Credentials tab of the client:
I configured 1 user in the realm2 with just 'password' as a password:
How can I configure my Keycloack settings so I don't need the 'secret' but the username and password?
You could disable authentication for the client, making it public. You can do this by turning off "Client authentication" under the settings tab of your client.
EDIT: I just realized your keycloak version seems different to mine. This configuration is likely under the Access Type selector in your settings tab, by changing it from confidential to public
#Haf answer is right to the point; TL;DR: In the client Access Type dropdown menu select public instead of confidential.
Nonetheless, I want to add a bit more information behind the scenes since you stated that:
As a newbie for Keycloack I try to configure a client with a
"Password" grant type.
First, you should know that Keycloak implements OpenID Connect, which
is a simple identity layer on top of the OAuth 2.0 protocol.
According to the OAuth 2.0 protocol clients can be either confidential or public.
The main difference relates to whether or not the application is able
to hold credentials (such as a client ID and secret) securely.
Regarding the confidential clients:
Because they use a trusted backend server, confidential applications
can use grant types that require them to authenticate by specifying
their client ID and client secret when calling the Token endpoint.
Armed with this knowledge you can easily figure it out how to create a client that will not have a client secret.
i create a DB2 service in IBM cloud and i read that i can access at my db via REST.
so, i try to connect using this:
curl -k -X POST 'https://MY_DB_URL/dbapi/v4/auth/tokens'
-d '{"userid":"MY_SERVICE_USER", "password":"MY_SERVICE_PASSWORD"}'
and the response is always:
{"trace":"TRACE_CODE","errors":
[{
"code":"invalid_parameters",
"message":"HWCSEC0012E: The credential is invalid! For regular credentials, both the user name and password are required. For IAM API key or token credentials, they mustn't be empty.",
"target":{"type":"","name":""},
"more_info":""
}]
}
i really don't know how to solve that.
docs:
https://cloud.ibm.com/apidocs/db2-on-cloud#request-a-new-access-token
https://developer.ibm.com/static/site-id/85/api/db2whc/
i solve. they want in header
{Content-Type: text/plain}
it's not make sense, the body is a json...
I added a custom OIDC Identity Provider to my realm and i want to use the Direct Access Grants flow (or grant_type=password) but this doesn't work.
Is it possible with Keycloak?
When try with Authorization Code flow every thing works fine but with
grant_type=password the error
{
"error":"invalid_grant",
"error_description":"Invalid user credentials"
}
is returned.
I'm trying to get the access token e the refresh token doing the following request:
$ curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token'
-H 'content-type: application/x-www-form-urlencoded'
-d 'grant_type=password'
-d 'client_id=test-client'
-d 'client_secret=834a546f-2114-4b50-9af6-697adc06707b'
-d 'username=user' // valid user in custom Identity Provider
-d 'password=password' // password in custom Identity Provider
And this is the Identity Provider configuration:
this is the Identity Provider configuration
Please have a look below curl command
curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' -i 'https://135.250.138.93:8666/auth/realms/<Realm-Name>/protocol/openid-connect/token' --data 'username=<userName>&password=<Password>&client_id=<Client-ID>&grant_type=password&client_secret=7df18c0d-d4c7-47b1-b959-af972684dab0'
In above command you have to provide these details
Realm-Name - Realm name against which you want token
userName - You should have a user which can access the above realm
Password - Password for above user
Client-ID - Client Name(Generally its a String Value) under the
Client-Secret - Client secret of above client which you can find [Realm->Client List->Select the client->Credential tab]
I was also stuck with this issue as well. In the beginning I also suspected that it looked like a bug. However, the turning point is that I tried with the master realm and the client_id=admin-cli with my admin user. I can retrieve the token with grand_type=password. It's just failed for my own realm and client_id like reported here.
I figured out my issue is that the user I used wasn't activated after I tried to login into my realm's console(eg: http://localhost:18080/auth/realms/quarkus-workshop-labs/account/). I need to reset my password, so it can be finally activated. Then the password grant_type just starts to work.
(note that by default, your new created user needs to reset password before it can use.)
Keycloak doing below validations before the DirectGrant auth flow.
username
password
otp (if configured)
if the user is enabled
if the user is locked due to brute force direction (only if it's enable)
You can customize this in Authentication -> Flows and select Direct grant flow.
For example you can disable Direct Grant - Conditional OTP to genarate token without checking otp.
Yes it is possible.
You need to enable/Grant Direct access in Keycloak settings for the particular client.
You need to set a client with test-client and the user should be available in the realm. Though cannot get what you wanna achieve with this 🧐
I got exactly same scenario it looks like a bug to me. I had to unlink the account from IDP, set the password and remove pending user actions. It is not a solution but in my case was ok as I needed only test user account for API tests and don't have that scenario on production.
I was able to use DAG if I set the (automatically provisioned) user's password in Keycloak to something and with that password I was able to get the token from the external iDP. I used this to investigate an Okta token. Hope this helps.
I think this is actually the right answer: answer.
To summarize: You can't do exactly what you requested, because Keycloak is not storing the password in DB, so password grant type flow is not valid for this user.
The alternative is to use Token Exchange feature that allows you to login to OIDC directly and use it's access token to retrieve keycloak access token.
There is an example code in the linked answer.
I am working on an iPhone app in which I am using github api.
To access github I am using Oauth with web application flow. Means First It opens login screen then I give username & password.
But now I want to use OAuth with password grant type. It means I want to access directly with providing username & password in request URL, (No separate login screen).
How its possible? Can anybody help me ?
As described on github developer documentation for Non-Web Application Flow you will need to create a new authorization.
Example:
curl https://api.github.com/authorizations \
--user "put_username_here" \
--data '{"scopes":["user"], "client_id":"your_client_id", "client_secret":"your_client_secret}'
This will prompt you for github password and return oAuth token as a response.
For information on how to do HTTP basic authentication on iPhone, check this link.