I am using the Swagger OpenAPI 3.0.2 version for describing my API.
I built swagger-codegen 3.0.5 snapshot from the Swagger gihub repo.
I want a Java client that will obtain the OAUTH2 token for a grant type of client_credentials. I want client credentials because this is one machine talking to another, I am not asking a user for their credentials. I have the following bit in my spec file:
securitySchemes:
oAuth2ClientCredentials:
type: oauth2
description: Standard OAUTH2
flows:
clientCredentials:
tokenUrl: my_token_url
scopes: {}
security:
- oAuth2ClientCredentials: []
I want a Basic Authentication header with the client ID and the client secret in the standard base64 encoding with the grant_type as a URL encoded form. This is pretty standard OAuth2 authentication.
I seem to sometimes get code for the OAuth authentication and sometimes not. The python library has nothing for OAuth other than me proving the access token by hand. The Java library doesn't have it unless I ask for retrofit as the base library, but it generates a Bearer Authentication header, rather than a Basic Authentication Header. Retrofit2 doesn't even work, the handlebars template has an illegal character in it that handlebars barfs on.
So what do people do to get their access tokens when they have a client ID and a client secret? Do you craft the code to get the access token by yourself? Or is there some magic way of getting swagger-codegen-cli to generate the code for me, depending on the libraries that I use?
If anyone has managed to get swagger-codegen-cli to generate everything they need for OAuth 2 client credentials with an OpenAPI 3.0 specification, please let me know.
Related
I have a Quarkus endpoint stood up. Secured by JWT and Roles.
It works in Postman. (Header <Authorization, Bearer ey……>)
I have looked and struggled and found I can’t do a typical #Header or #Parameter annotation exposing this Authorization header—it stomps out that precise value. “Authorization1” I can expose. But not “Authorization”.
I have got a jwt configuration option in the application.YML file. I now get an authentication “padlock” on the UI but whatever I enter there doesn’t get passed to the CURL command in “try it out” mode.
Has anyone solved this problem?
application.yml parts:
smallrye-openapi:
...
jwt-bearer-format: JWT
jwt-security-scheme-value: Bearer
security-scheme: jwt
These images may be useful:
It's not really a bug. There is a configuration that you can specify in Quarkus that allows you to inject the JWT token into each request from Swagger.
There is some work that you need to do in order to accomplish this simply because Swagger will not know beforehand how to read the JWT token and how to reuse it for subsequent calls.
Below is one method that you can use in order to make Swagger calls work in a Quarkus project.
There are a few things to unpack here.
Caveat
This has been tested to work with Quarkus 2.0.1.Final. Older versions of Quarkus use an old version of SmallRye that has a bug in it when rendering the request interceptor.
Use this configuration in Quarkus quarkus.swagger-ui.request-interceptor to inject the jwt token into the request headers of Swagger. This value goes into your application.properties. (Do modify this configuration to suit yml files)
quarkus.swagger-ui.request-interceptor=function(req){var authToken=sessionStorage.getItem('authenticationToken');if(authToken){req.headers['Authorization']='Bearer '+authToken;}return req;}
Now go to your Swagger UI and login using the login endpoint that you use. This will return the jwt token. Go to the browser and input the value into your browser's Session Storage under the key 'authenticationToken'
Now when you hit any endpoint that you want to test, Swagger will use the request interceptor (defined in 1) to inject the JWT from your browser's session storage and your calls will work.
I'm making a request to WSO2-AM to get the OAuth Token to access the api published in the API Manager on behalf of the user. Everything is working with the big string returned in access_token but I'd like to use the short one version, probably encoded.
Request:
curl -X POST -H 'Content-Type:application/x-www-form-urlencoded' -u
<consumer-key>:<consumer-secret> -k -d
'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<id_token>'
https://<apim>:8243/token
Response:
{"access_token":"eyJ4NXQiOiJNell4TW1Ga09HWXdNV0kwWldObU5EY3hOR1l3WW1NNFpUQTNNV0kyTkRBe
lpHUXpOR00wWkdSbE5qSmtPREZrWkRSaU9URmtNV0ZoTXpVMlpHVmxOZyIsImtpZCI6Ik16WXhNbUZrT0dZd01XSTBaV05
tTkRjeE5HWXd....bZ-CD_r-2qkypeER7f8QMrLpozRipgHeCkpIKXx5PzSM6zBq5VjMW4EXSRg7LSu0JAJfD2UD6H4bqAiZPNiGy9vTLXc
Zr4g8WNzfKkr...
-hiAOt4SauSZxB1WWCFEZ0xyHVhbx7nAFzBVzfssF0DOYGXkc9hRJZGbG8VfiXb6PWtSfEjqJTSSY_aZWXw",
"refresh_token":"d3062fa0-1132-3532-b1b2-83c3c66136ff","token_type":"Bearer","expires_in":3600}
Expected:
{"access_token":"400f2a54-53d8-3146-88e3-be1bf5e7450d",
"refresh_token":"c2656286-449f-369f-9793 2cee9132de9f",
"scope":"default","token_type":"Bearer","expires_in":3600}
What I'm doing wrong that is not returning the short one?
I assume, that the expected by you access_token is the Opaque(Reference) Access Token, described in this WSO2 API Manager 3.1.0 documentation: Secure APIs using OAuth2 Opaque(Reference) Access Tokens.
But, according to the Release notes, from WSO2 API Manager 3.2.0, they removed this type of access token:
Out-of-the-box support to generate an opaque access token via the Developer Portal has been removed. Application Developers can create applications that only generate a JWT type access tokens.
So, the big string, you get is nothing more, like this JWT token, described here in documentation: JWT (Self Contained) Access Tokens, which you can decode on jwt.io site.
You can decode your long JWT from https://jwt.io/ and get the JTI value of it as the short one which will look similar to 400f2a54-53d8-3146-88e3-be1bf5e7450d.
Refer to the example shown below.
.
As you were referring to the short token. It is the opaque token and APIM 3.2.0 It is not shown while you creating the Application. You can get the default Token (opaque) By the WSO2 carbon management console.
Change Token Issuer to Default from JWT in ISP list for particular Application that you need to use.
enter image description here
Where I am generating opaque (Short) Token in APIM 4.0.0
enter image description here
I am trying to set up Karate test framework for our new project. We will be enabling Kerberos authentication to our Rest microservices. Can you please tell me if Karate supports Kerberos aunthentication
Most projects are able to call a normal HTTP end-point and get a token from it which will be used as an auth header. So look for the OAuth and header authentication demos / in the documentation.
Otherwise, take a look at this approach: https://stackoverflow.com/a/51150286/143475 - so it is possible for you with a little extra work to call into some .NET code for e.g. which you can design to give you the headers / tokens you need.
I have an Identity Server running based on IdentityServer 4 (.Net Core v2) targeting the full .Net framework, and I have an ASP.NET WebAPI built against ASP.Net Web API 2 (i.e. NOT .Net Core) that is using the Identity Server 3 OWIN middleware for token authentication.
When running locally, everything works just fine - I can use Postman to request an Access Token from the Identity Server using a RO Password flow, and I can then make a request to the WebAPI sending the token as a Bearer token - all works fine.
Now, when everything is hosted on our test servers, I get a problem when calling the WebAPI - I simply get an Unauthorized response. The token returned from the Identity server is ok (checked using http://jwt.io), but validation of the JWT is failing in the WebAPI.
On further investigation, after adding Katana logging, I see that a SecurityTokenInvalidAudienceException is being reported.
Audience validation failed. Audiences:
'https://11.22.33.44:1234/resources, XXXWebApi'. Did not match:
validationParameters.ValidAudience: 'https://localhost:1234/resources'
or validationParameters.ValidAudiences: 'null'
Looking at the JWT audience, we have:
aud: "https://11.22.33.44:1234/resources", "XXXWebApi"
In the WebAPI Startup, I have the call to
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = , // path to our local ID Server
ClientId = "XXXWebApi",
ClientSecret = "XXX_xxx-xxx-xxx-xxx",
RequiredScopes = new[] { "XXXWebApi" }
});
So the JWT audience looks ok, but its obviously not matching with what is supplied by the middleware (built from the IdP discovery end point). I would have thought that because I am specifying the RequiredScopes to include XXXWebApi that would have been enough to match the JWTs audience but that seems to be ignored.
I'm unsure what to change in the WebAPI authentication options to make this work.
EDIT: I changed the WebAPI Token auth options to use the validation endpoint, and this also fails in the IdentityServer with the same error.
If I call the Identity Server introspection endpoint directly from Postman with the same token though, it succeeds.
Ok, so after a lot of head scratching and trying various things out I at least have something working.
I had to ensure the Identity Server was hosted against a publicly available DNS, and configure the Authority value in the IdentityServerBearerTokenAuthenticationOptions to use the same value.
That way, any tokens issued have the xx.yy.zz full domain name in the JWT audience (aud), and when the OWIN validation middleware in the WebAPI verifies the JWT it uses the same address for comparison rather than localhost.
I'm still slightly confused why the middleware cant just use the scope value for validation because the token was issued with the API resource scope (XXXWebAPi) in the audience, and the API is requesting the same scope id/name in the options as shown.
As far as I understand your WebAPI project is used as an API resource.
If so - remove the 'clientId' and 'clientSecret' from the UseIdentityServerBearerTokenAuthentication, keep the 'RequiredScopes' and the authority (you may also need to set ValidationMode = ValidationMode.Both).
You need them, when you are using reference tokens. From what you've said - you are using a JWT one. Check here, here and here.
I went through this tutorial on KONG
https://getkong.org/plugins/jwt/
I have an understanding of JWT and authorization concepts. I have prototyped JWT with Spring Boot where I could put my own key value like this {"authorizations":"role_admin, role_user"}.
It is easy to do that in Spring Boot but I am not able to find information on how to do this with KONG. Anyone has any info about it?
Kong community edition can handle only the authentication process, (give or deny access to a customer).
Authorization process (what a given customer can do in your application) is handled by your application or by https://getkong.org/plugins/ee-oauth2-introspection/ oauth2 introspection plugin which is enterprise edition only
you can write your own authorization server based on X-Consumer-Username request header if user passed authentication or original token header proxied by kong
hope helps
The kong jwt plugin does not support sending custom payload parameters to the upstream api. It does however seem like you can use this plugin (I have not tested it):
https://github.com/wshirey/kong-plugin-jwt-claims-headers
Update:
If you set Kong to forward all headers you'll get the raw Authorization header with the jwt token. So you could base64 decode the jwt token and pull out the claims/payload parameters you need manually in your service.