How to inform OAuth2 API clients about missing credentials? - rest

I build a REST API using Vert.x and would like to add OAuth2 authentication.
In my current setup unauthenticated requests will automatically be redirected to the OAuth2 server (keycloak) login page. This seems wrong when dealing with a REST API. Instead I would expect my REST API server to return a 401 and thus let the client deal with the process of getting the access token.
Is there a best practice for this use case? How should unauthenticated requests to protected resources be handled?

When a access token is missing you should return an HTTP 400. If the token is invalid it would have to be HTTP 401 as shown in https://www.rfc-editor.org/rfc/rfc6750#section-3.1:
3.1. Error Codes
When a request fails, the resource server responds using the
appropriate HTTP status code (typically, 400, 401, 403, or 405) and
includes one of the following error codes in the response:
invalid_request
The request is missing a required parameter, includes an
unsupported parameter or parameter value, repeats the same
parameter, uses more than one method for including an access
token, or is otherwise malformed. The resource server SHOULD
respond with the HTTP 400 (Bad Request) status code.
invalid_token
The access token provided is expired, revoked, malformed, or
invalid for other reasons. The resource SHOULD respond with
the HTTP 401 (Unauthorized) status code. The client MAY
request a new access token and retry the protected resource
request.
insufficient_scope
The request requires higher privileges than provided by the
access token. The resource server SHOULD respond with the HTTP
403 (Forbidden) status code and MAY include the "scope"
attribute with the scope necessary to access the protected
resource.
If the request lacks any authentication information (e.g., the
client was unaware that authentication is necessary or attempted
using an unsupported authentication method), the resource server
SHOULD NOT include an error code or other error information.
For example:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="example"

Related

Url has been blocked by CORS policy SOAP

I am trying to connect a SOAP service from frontend,
Because of "cors policy blocked" I am using Local Cors Policy which is described here;
"https://www.npmjs.com/package/local-cors-proxy"
I can see that request is getting proxied so no any errors.
"Request Proxied -> /Servis/SiparisServis.svc"
But I am still getting this error;
"Access to XMLHttpRequest at 'https://www.myurl.com/Servis/SiparisServis.svc' (redirected from 'http://localhost:8010/proxy/Servis/SiparisServis.svc') from origin 'http://123.0.0.1:2300' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Any solution ?
I can provide my codes if needed.

How can i workaround missing WWW-Authenticate http header in Ktor Client?

i am using Ktor Client 1.6.0 to communicate with backend REST API which i do not control. For Authentication i am using Bearer https://ktor.io/docs/auth.html#bearer but refreshTokens never calls because of 401 unauthorized response do not contains http header WWW-Authenticate. The header is required to run refreshTokens https://github.com/ktorio/ktor/blob/main/ktor-client/ktor-client-features/ktor-client-auth/common/src/io/ktor/client/features/auth/Auth.kt#L46
Is it possible to somehow add this header manually before the referenced part of code in Auth.kt calls?
Link to similar question in backend part https://developer.mongodb.com/community/forums/t/missing-http-header-www-authenticate/110569

Getting CORS policy error when trying to authorize a user in keycloak using REST api

I'm trying to authorize a user in Keycloak using REST api.
API call is successful when I am calling the api from POSTMAN, but when trying from angular app I'm getting below error -
Access to XMLHttpRequest at 'http://localhost:8080/auth/realms/realmname/protocol/openid-connect/token' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Headers and body for the request is below -

What does `endpoint` exactly mean in OAuth?

I saw the word "endpoint" many times in OAuth documents.. However, I still don't know what does this word really mean.. Does anyone have ideas about this?
The OAuth 2.0 Authorization Framework
The authorization process utilizes two authorization server endpoints
(HTTP resources):
Authorization endpoint - used by the client to obtain
authorization from the resource owner via user-agent redirection.
Token endpoint - used by the client to exchange an
authorization
grant for an access token, typically with client authentication.
Its basically the HTTP web address of the authentication server. It could probably be server addresses depending upon how its worked. The first is for requesting access of the user the second could be for granting access to the application. this probably depends upon how the Authentication server is set up.
OAuth endpoints are the URLs you use to make OAuth authentication requests to Server. You need to use the correct OAuth endpoint when issuing authentication requests in your application. The primary OAuth endpoints depend upon the system you are trying to access.
Example Google has two end points:
Request access of user:
https://accounts.google.com/o/oauth2
Exchange tokens
https://accounts.google.com/o/oauth2/token

Facebook Server-Side Auth: Why does the access token request require a redirect uri?

In the server side auth flow, Facebook does not execute any redirects after the app requests the access token.
So why does the access token request require a redirect_uri parameter?
See section 4.1.1 of the OAuth 2.0 Spec.
redirect_uri is a required paramter when obtaining an access token.
From the spec:
The authorization server MUST:
Validate the client credentials (if present) and ensure they match
the authorization code.
Verify that the authorization code and redirection URI are all
valid and match its stored association.