NFL has an api service. link: https://api.nfl.com/docs/getting-started/index.html
For making api calls we need an Oauth2 access token.
To generate it we need to hit /oauth/token endpoint with parameters client_id and client_secret in body.Now I cannot find any documentation on how to generate the client_id and client_secret.
Another way I found was to create a new user which just requires you to pass necessary parameters like username,password,etc and in turn gives a new access token.But doing this way also gives a unauthorized 401.
So I am doing it wrong.If someone has used this api in past , please do share how you did it.I also found another question here on the same topic link : How would I create an access token for the NFL Shield API? but it does not have any answer.I am sharing the links to two docs related to authentication.
https://api.nfl.com/docs/identity/oauth2/index.html
https://api.nfl.com/docs/identity/register/index.html
Related
Unable to retrieve ANY data when I try to fetch simple content from Archer via REST API calls through Postman or Mule.
1. Is URL below correct? What am I missing?
2. How to get Reports via Archer REST API i.e what API resource to use.
Have seen the Archer REST documentation but do not find it clear enough.
Have tried GET & POST, with Authorization configured, through Postman:
https://hostname/platformapi/core/security/login https://hostname/platformapi/core/content/123
https://hostname/RsaArcher/platformapi/core/content/123
I get 'Unauthorized: Access is denied due to invalid credentials.' error although I am told to have access.
Please suggest proper API call/path to be used and if any specific settings is to be made to retrieve data?
Archer version: 6.5
Note: Through POSTMAN and Mule, I have successfully consumed REST API from other secured applications. Struggling with Archer.
Thank you.
The documentation for Archer REST API was mentioned in a previous answer and seems to require a login into their site: https://stackoverflow.com/a/38511131/721855
This KB article shows examples on how to use the API from Powershell: https://community.rsa.com/docs/DOC-45643. It should be easy to adapt to Postman, Mule or whatever other language/tools.
I recently had the same issue. The company had anonymous authentication disabled on the api directory. The user account running postman must have access to the api directory. If you are still getting a 401, see if you anonymous access can be enabled to rule out other non-access related issues. If you are able to generate a security token when calling core/security/login when anonymous authentication is enabled, then you know the issue is that your account did not have access to the api directory. If you are not able to make the request successfully with anonymous authentication enabled, then you know the issue is likely with the way you've structured your REST call. Hope this helps!
Authentication to any Archer API is two step process. First you have to call an authentication resource or method. That will return a session token. You must then add that token to the request headers for subsequent requests. Your header would look something like this:
Authorization: Archer session-id=439C730FF83F68EFDC017ED705D9908E
Without this header, you'll get a 401 for any request other than an authentication request.
I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil
Say I have a website secured with IdenityServer3. It uses the implicit flow so users are asked for their credentials. Now I'm facing a requirement where this application should access multiple (Web)API's on behalf of the user. These API's are secured using roles.
How do I go about this? Do I get one access_token for all by adding "token" to the ResponseType of the OpenIdConnectAuthenticationOptions? Do I have to change the Implicit flow (to Hybrid?) and manually request access_tokens for each individual API and add those to the user's claims, after authentication?
I'm not sure on how to approach this. Any help would be greatly appreciated.
You can keep using Implicit flow and add "token" to reponse_type (so it becomes "id_token token"). That will give you access token as well. Additionally, you can specify any scopes that those APIs might require in order to include claims that might have to be present for API Authorize attribute to allow the call through.
Once you have the response from IdentityServer in your application along with access token, you call the api with that token in the Authorization header.
I was able to resolve my requirement by moving to a Hybrid flow. For the response type I ended up needing "id_token", "token" and "code". I also had to retrieve the user claims manually in a separate request and manually add them to the user's identity, because adding "token" besides the "id_token" would remove all claims from the server response (to keep the token smaller).
I have a website allowing authenticated users to submit and edit data. I also want to offer a REST API as part of a chargeable service.
Now the problem is that a non-paying user could theoretically use the same calls my website uses as API for authentication and sending data from his external application since it is very easy in the browser to see the endpoint what and how exactly the data is being sent to a website.
How can I protect my website from such usage and force the user to use API for external access?
Actually you cannot prevent people making requests to a public API. You can just validate the user when a request arrives. So there are more than one approach to solve this problem.
I would provide a token per session for each user and validate the rest API request at back-end.
Use OAuth2. So you will give paid user secret id and key then they will ask for the access token to access the API's using secret id and key.
Read about public/private key encryption https://en.wikipedia.org/wiki/Public-key_cryptography
Read about oAuth
https://oauth.net/2/
I have used passport to implement oAuth2 in laravel. passport is oAuth2 implementation and available in other languages also.
From couple of days, I am trying to access Custom made SharePoint Online List for CRUD Operation with the help of Rest APIs Endpoints using Postman, but all the time i am getting Access Denied Response in body.
I have got OAUTH Access Token with the help of Client Id, Client Secret, & Bearer Realm Token. I am also sending Access Token in Header, also i am given FULL-CONTROL Permission level by the SharePoint Admin.
Hope you got my point. Please let me know for any further Issue clarification.
Note :
List of Rest URL Endpoints I can Access are given below :
http://YourSite.sharepoint.com/_api/site/rootWeb/webinfos
http://YourSite.sharepoint.com/_api/web/lists
List of Rest URL End-Points I am not able to Access are :
http://YourSite.sharepoint.com/_api/web/lists/getbytitle('ListName')
http://YourSite.sharepoint.com/_api/web/lists/lists/getbytitle('listname')/items
THANKS IN ADVANCE