When I'm requesting a token from keycloak I want a specific header value (or extra form data) that was supplied in the request to be put in the JWT payload of the generated token. I've tried using a Script Mapper to get access to header values but I can't see how to get access to header values or data in the form data sent in any of the available script variables: user, realm, userSession, keyclockSession.
You can get access to request headers using keycloakSession object, something like
keycloakSession.getContext().getRequestHeaders().getRequestHeader("User-Agent")
If you check the code for DefaultEvaluationContext class, that is how they add the User-Agent header.
Related
I have a use case where we must pass username, password, grant_type, client_id, and client_secret via form-data in Azure Data Factory Web Activity.
Concatenating keys and values in the request body returns the below error. I am using the POST method and below is the header information.
Use post method in your web activity and provide your credentials under body.
grant_type=client_credentials&client_id={your client id}&client_secret={ client secret}&scope=API
Hello Pentaho Experts,
I am attempting to make a REST API call through REST Client in Pentaho. I have a Api key for authentication. I tried it in Postman, and it works perfectly fine, but Pentaho throws 403 status code. Below is the postman screenshot:
My Pentaho transformation contains two steps. I am passing URL through "Generate Rows" step and then adding Key and Value in the Header:
Generate Rows:
Rest Client (General):
Rest Client (Header):
Any idea what I might be missing here? Expected output is JSON.
I can't speak to the use of passing key/value in Header for authentication, but what has worked for me is to use the Authentication tab to input my credentials or passing an Authentication header with a bearer token.
Authentication Tab:
I use this method to generate and return a bearer token from the API. The token is then used as the authentication method in subsequent steps. The "body" includes the scope (i.e.: "reports:read") and grant type ("client_credentials"). The "header" contains the value "application/x-www-form-urlencoded".
Authentication Header:
Once a token has been returned from the API, this can be provided in an "authorization" header. Prepend "bearer" to the token value and pass this in the header tab.
I would also recommend looking at the Headers being passed in Postman to ensure you are not missing anything else that might be happening in your call.
I have Play with Silhouette authentication and authorization configured using the JWTAuthenticator. This authenticator works by reading the X-Auth-Token header, which is a jwt, to identify user in every request. This works fine for REST endpoints.
Now I have images that only owners should be able to access it, and I would like to use those in background-image css property (this is a requirement). In such scenario I'm not able to set the request header hence the request will be denied.
The next natural step is to embed the token in the background-image url itself as an url parameter. However I don't know then how to proceed at the server side. How can I tell the JWTAuthenticator to use the token in the url if not X-Auth-Token header is present?
Ok, I'm sharing here my founds so hopefully this can help others. While digging into silhouette code I found that we can easily configure from which part(s) of the request (header, query string, ...) we want to read the token. By default the jwt token is read from the X-Auth-Token header, but we can configure the JWTAuthenticator to read the token also from a query string variable:
val config =
configuration.underlying
.as[JWTAuthenticatorSettings]("silhouette.authenticator")
// this is the important line of code
.copy(requestParts = Some(Seq(RequestPart.Headers, RequestPart.QueryString)))
new JWTAuthenticatorService(config, None, encoder, idGenerator, clock)
Now if you want to use a protected asset behind a controller with a silhouette.SecureAction then you just need to add the X-Auth-Token as query string parameter to the url:
.my-class {
background-image: url("/image?X-Auth-Token=........")
}
I have stored a custom claim the IdToken and I send the whole token into the graphql interface using a custom header called "customs". How can I decode it to an object in a resolver and get the value of the claim?
I have tried this:
#set($myClaim=$context.request.headers.get('customs').myClaim)
I didn't expect this code to work, because the header is encoded, but I saw it in an example and I post it here so you can get a picture of what I am trying to do.
The API:
There is a public API available at https://interviewer-api.herokuapp.com/ that you can use to manage your finances in a very simple way.
The API has 2 endpoints:
/login gives you a token which you need to use in subsequent calls to the API in the Authorization header. Every call returns a new token with some initial transactions and balance.
/balance gives you your current balance along with a currency code.
So what I want to do is that I am sending a POST request for 'login' and getting a token as response. Now I want to use this TOKEN in my next request for 'Balance' as a Header.
So is there a way in SOAP UI and POSTMAN by which I can capture the response and then automatically store it as a header for the next requests so that I do not have to manually do it again and again.
You should do the following:
Execute your /login request to get the token
In the tests sections, do:
var body = JSON.parse(responseBody);
postman.setEnvironmentVariable("token", body.token);
Use the above token in /balance requests as header item:
Authorization: {{token}}
This will make sure all your request have valid token generated on run time.
Normally, /login will send the token in response header so take that response header value and store it as environment variable and use that variable for all subsequent requests.
Token as a response body is bad practice as response body should include only API business logic but your case is to authenticate so it should be a response header or a cookie(correct me if I am wrong).
In postman, if you enable the 'Interceptor' then it will take that cookie by default and use that for all subsequent requests so no need to store that cookie too as a variable.