The API:
There is a public API available at https://interviewer-api.herokuapp.com/ that you can use to manage your finances in a very simple way.
The API has 2 endpoints:
/login gives you a token which you need to use in subsequent calls to the API in the Authorization header. Every call returns a new token with some initial transactions and balance.
/balance gives you your current balance along with a currency code.
So what I want to do is that I am sending a POST request for 'login' and getting a token as response. Now I want to use this TOKEN in my next request for 'Balance' as a Header.
So is there a way in SOAP UI and POSTMAN by which I can capture the response and then automatically store it as a header for the next requests so that I do not have to manually do it again and again.
You should do the following:
Execute your /login request to get the token
In the tests sections, do:
var body = JSON.parse(responseBody);
postman.setEnvironmentVariable("token", body.token);
Use the above token in /balance requests as header item:
Authorization: {{token}}
This will make sure all your request have valid token generated on run time.
Normally, /login will send the token in response header so take that response header value and store it as environment variable and use that variable for all subsequent requests.
Token as a response body is bad practice as response body should include only API business logic but your case is to authenticate so it should be a response header or a cookie(correct me if I am wrong).
In postman, if you enable the 'Interceptor' then it will take that cookie by default and use that for all subsequent requests so no need to store that cookie too as a variable.
Related
I have an API (TalkDesk) where when I request a specific report, I need to pass in an Authorization header in my request and then the service will generate the report and respond with a 302 status code which has a Location response header. That Location header contains the link I need to go to in order to bring back the actual report data.
However, in ADF, using a Web Activity, I send my GET request to the API, the API responds, and ADF seems to automatically be following the 302 redirect. When it follows the redirect url, the new url returns an error message because ADF is passing in the original Authorization header and the redirect url responds with "only one Authorization method is allowed". It turns out the redirect url from the Location header comes with an authorization token as a url parameter (X-Amz-Signature).
What I want to do is stop ADF from following the Redirect url so I can capture the original response headers and go to the Location url in a seperate Web Activity.
Is there any way I can tell ADF not to follow Redirects and just give me the original response (vs giving me the response from the second url)?
Hello Pentaho Experts,
I am attempting to make a REST API call through REST Client in Pentaho. I have a Api key for authentication. I tried it in Postman, and it works perfectly fine, but Pentaho throws 403 status code. Below is the postman screenshot:
My Pentaho transformation contains two steps. I am passing URL through "Generate Rows" step and then adding Key and Value in the Header:
Generate Rows:
Rest Client (General):
Rest Client (Header):
Any idea what I might be missing here? Expected output is JSON.
I can't speak to the use of passing key/value in Header for authentication, but what has worked for me is to use the Authentication tab to input my credentials or passing an Authentication header with a bearer token.
Authentication Tab:
I use this method to generate and return a bearer token from the API. The token is then used as the authentication method in subsequent steps. The "body" includes the scope (i.e.: "reports:read") and grant type ("client_credentials"). The "header" contains the value "application/x-www-form-urlencoded".
Authentication Header:
Once a token has been returned from the API, this can be provided in an "authorization" header. Prepend "bearer" to the token value and pass this in the header tab.
I would also recommend looking at the Headers being passed in Postman to ensure you are not missing anything else that might be happening in your call.
I have a flask API, with jwt authentication, on a httponly cookie. I installed interceptor, added the domain(with HTTPS) to the list, and enabled the requests and cookies interception.
but still,
how do I make postman send the cookie I got from logging in to the server? usually, with a simple front-end, it just happens, so I didn't think about it.
all the methods I found in postman documentation, including specifying the value with the token, but I don't have it, since I can't access the httponly cookie. (or can I?)
must I access the cookies? can it be done automatically like simply sending requests from the front-end?
any guidance will be appreciated
After a full evening of research, I did two things to make it work -
in the login request, I added a "test" script(a post-request script in postman), with the following code:
const csrf_token = pm.response.headers.get("set-cookie");
const edited_token = csrf_token.split(/[;=]/)[1];
pm.environment.set("X-CSRF-TOKEN", edited_token);
console.log(csrf_token.split(/[;=]/)[1]);
First, I got the cookie from the response, and then used a regex to separate only the token value, and set it as an environment variable. this way, I could add it as a header later, for accessing protected URLs.
The second step was to add a pre-scrit in any request with a protected URL -
in the pre-request tab, I added the following:
pm.request.headers.add({
key: 'X-CSRF-TOKEN',
value: pm.environment.get("X-CSRF-TOKEN")
});
Which only added the same token I took earlier from the "X-CSRF-TOKEN" environment variable and set it to the header.
Mission accomplished :)
I hope it will help others who bumped into this
I have the following code:
string tokenValue = "221e0a91-6530-4790-a969-d1da75b0afd2";
// Configure httpClient to use the above token.
httpClient.DefaultRequestHeaders.Add("token", tokenValue);
The subsequent calls (HEAD, POST, GET) all work fine.
When I try to do the same thing using Swagger Inspector, it fails. I am able to get a token using Swagger Inspector site, and I place the token into a HEAD call as follows:
But as I said, the call fails, with "Authorization has been denied for this request." message returned as an XML file.
I also tried the two other options available on the same page: Basic Authentication, and OAuth 2.0/JWT, all with HTTPS. They all fail.
How can I go about understanding why it's failing?
Also: Is what I am using above called "Bearer Authentication"?
I have below 2 things to mention from your screenshot:
Response for HEAD method never contains the response body, it always contains the response headers
for more details of HEAD: HEAD Request
But in your case response-body is also present (maybe of CML content type).
You should use OAuth 2.0/JWT option on the same page to pass the token along with your request.
To answer your question related to Bearer Authentication:
No, the one you are trying to use is not at all Bearer Authentication.
In your case, "token" will be considered as Custom/User HTTP Header.
When I'm requesting a token from keycloak I want a specific header value (or extra form data) that was supplied in the request to be put in the JWT payload of the generated token. I've tried using a Script Mapper to get access to header values but I can't see how to get access to header values or data in the form data sent in any of the available script variables: user, realm, userSession, keyclockSession.
You can get access to request headers using keycloakSession object, something like
keycloakSession.getContext().getRequestHeaders().getRequestHeader("User-Agent")
If you check the code for DefaultEvaluationContext class, that is how they add the User-Agent header.