I have been working on my server in Symfony 2.8, building a rest api which returns json objects in camelCase style, the problem now is that when I integrate the OauthServer bundle it lauches this error Invalid grant_type parameter or parameter missing", I understand that this happens because I am using the array_normalizer: fos_rest.normalizer.camel_keys body listener in my fos_rest configuration. Here my code in configuration.yml:
fos_rest:
#other listeners#
body_listener:
array_normalizer: fos_rest.normalizer.camel_keys
zone:
- { path: ^/api }
And here my Oauth configuration in the security.yml:
firewalls:
oauth_token:
pattern: ^/oauth/v2/token
security: false
api:
pattern: ^/api
fos_oauth: true
stateless: true
anonymous: false
I found out I was not the first person who this ever happened, and that the zone attribute was added to mitigate this, but in my case it does work only with everything under the ^/api because when I change the pattern it stops using the listeners as expected but when I call the ^/oauth/v2/token path it seems to ignore the zone given path.
To retrieve my token, I am using the next POST request:
{
grant_type= "password"
client_id= "clientId"
client_secret= "clientSecret"
username= "user"
password= "password"
}
I want to clarify that if I deactivate the listener I obtain the token successfully, but the rest of my app stops working because it uses camelCase everywhere, I know that once alternative would be to serialize my data in the client side, but it is quite complicated at the moment.
What am I doing wrong? I can't figure out what I am missing.
as workaround you can use instead of POST, GET like this
http://example.com/oauth/v2/token?client_id=[CLIENT_ID]&client_secret=[SECRET]&grant_type=password&username=[USERNAME]&password=[PASSWORD]
Then you don`t have to worry about body serializers.
Related
I need to make proxy pass application with jwt auth.
User storage server is also in another location. The question is - how to combine it together?
My input method is json; for now I'm using native configuration:
login:
pattern: ^/api/login
stateless: true
json_login:
check_path: /api/login_check # or api_login_check as defined in config/routes.yaml
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
provider: app_user_provider
custom_authenticators:
- App\Security\Guard\Authenticator
I made own Authenticator which makes API REST Request and returns User object.
Than I thought, I need make own Passport and Badge class to force passing User Entity without password validation:
public function authenticate(Request $request): Passport
{
$data = json_decode($request->getContent());
if( !isset($data->username) || !isset($data->password))
throw new CustomUserMessageAuthenticationException('No API token provided');
$result = $this->remoteAuth->getUser($data->username, $data->password);
//return new SelfValidatingPassport(new UserBadge($data->username));
$result->setPassword($data->password);
$pass = new RemotePassport(new RemoteBadge($result));
return $pass;
}
Unfortunately, while my authenticator works fine, but then another native Symfony native JsonAuhenticator comes as a second, and returns password verification exception.
Can you tell me, how to handle it? How to disable this another checking? Should I make own loginAction? Somehow disable native checker on Content-Type: application/json? Please help.
New to TCL and having an issue with using the ::rest::simple url query ?config? ?body? command - specifically getting basic authentication to work. The example given here (https://core.tcl-lang.org/tcllib/doc/tcllib-1-18/embedded/www/tcllib/files/modules/rest/rest.html#section4) is as follows:
set url http://twitter.com/statuses/update.json
set query [list status $text]
set res [rest::simple $url $query {
method post
auth {basic user password}
format json
}]
So my attempt is:
package require rest
package require json
set url http://0.0.0.0:5000/api/id
set response [rest::simple $url {
method get
auth {basic user password}
format json
}]
puts $response
However, I keep getting a 401 error when I try and run the above against a mock API endpoint for GET:
"GET /api/id?auth=basic%20user%20password&method=get&format=json HTTP/1.1" 401 -
I can make a curl request against that same endpoint using basic auth (with Python as well), and if I disable basic auth on the endpoint this works just fine in TCL:
set url http://0.0.0.0:5000/api/id
set response [rest::simple $url {
method get
format json
}]
puts $response
So it's something to do with the basic auth credentials in the TCL rest module.
Thanks to Shawn's comment pointing out I was misreading the meaning of ? in TCL docs. Parameters surrounded by question marks are optional, rather than parameters followed by question marks. I was interpreting ::rest::simple url query ?config? ?body? as meaning the query param was optional. If there is no query, you can use an empty query as the required parameter. This ended up working:
set response [rest::simple $url {} {
method get
auth {basic user password}
format json
}]
I'm trying to create OpenTok session by Rest services with JWT object as suggested. I tried to generate session with Fiddler.
Here is my fiddler request (JWT string has been changed with *** partially for security reasons)
POST https: //api.opentok.com/session/create HTTP/1.1
Host: api.opentok.com
X-OPENTOK-AUTH: json_web_token
Accept: application/json
Content-Length: 172
eyJ0eXAiOiJKV1QiL******iOiJIUzI1NiJ9.eyJpc3MiOjQ1NzM******OiJkZW5l******XQiOjE0ODI3OTIzO***SOMESIGNEDKEYHERE***.izvhwYcgwkGCyNjV*****2HRqiyBIYi9M
I got 403 {"code":-1,"message":"Invalid token format"} error probably means my JWT object is not correct. I tried creating it using http://jwt.io (as opentok suggests) and other sites and all seems correct and very similar to the one on tokbox (opentok) site.
I need an explanation to fix it and create a session.
May it be because I am using opentok trial?
JWT creation Parameters
I had the same problem. I resolved the error by setting the correct key-value pairs for the payload part.
Example of my payload is as follows in C#:
var payload = new Dictionary<string, object>()
{
{ "iss", "45728332" },
{ "ist", "project" },
{ "iat", ToUnixTime(issued) },
{ "exp", ToUnixTime(expire) }
};
The value of the "ist" should be set to "project", not the actual name of your project.
Update: Looking at your screenshot, I can say you have not set the secret key (here, it's your ApiKeySecret from TokBox account > project) at the very bottom right.
OK I have found the answer at last,
Your Opentok API Secret key should not be used directly as Sign parameter. In java as shown below, it should be encoded first.
Base64.encodeToString("db4******b51a4032a83*******5d19a*****e01".getBytes(),0)
I haven't tried it on http://jwt.io and fiddler but it seems it will work on it too. Thanks. Full code is below;
payload = Jwts.builder()
.setIssuedAt(currentTime)
.setIssuer("YOUR_OPENTOK_KEY")
.setExpiration(fiveMinutesAdded)
.claim("ist", "project")
.setHeaderParam("typ","JWT")
.signWith(SignatureAlgorithm.HS256, Base64.encodeToString("YOUR_OPENTOK_SECRET".getBytes(),0))
.compact();
return payload;
My original post is here
I am trying to protect a set of REST endpoints with Shiro. My theory is that if I pass a JWT with my REST request, that I can use Shiro (via annotations) to secure my endpoints.
I've create my endpoints like this (for example):
#GET
#Produces(MediaType.APPLICATION_JSON)
#Path("status/{companyId}")
#RequiresAuthentication
#RequiresRoles("SomeRole")
public Response getStatus(#PathParam("companyId") int companyId){
... do stuff ...
}
I'm expecting that if I call the endpoint without authenticating, I will get a HTTP 401 error. However, the method is called successfully if the JWT is not supplied as it would be when there is no security on it at all.
I assume then that my Shiro config is incorrect. Since this is strictly a 'backend' application, I have no use for the Shiro/Stormpath configurations that apply to anything 'front-end' related (such as loginURLs, etc.)
Here is my shiro.ini :
[main]
#ERRORS IF UNCOMMENTED
#cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
#securityManager.cacheManager = $cacheManager
#stormpathClient.cacheManager = $cacheManager
# NOT NEEDED?
#sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
#securityManager.sessionManager = $sessionManager
#securityManager.sessionManager.sessionIdCookieEnabled = false
#securityManager.sessionManager.sessionIdUrlRewritingEnabled = false
[urls]
/** = rest
This configuration lets every request through (as described above).
If I uncomment the [main] section, I get IllegalArgumentException: Configuration error. Specified object [stormpathClient] with property [cacheManager] without first defining that object's class. Please first specify the class property first, e.g. myObject = fully_qualified_class_name and then define additional properties.
What I need to figure out is what is the correct minimum Shiro configuration for REST endpoints (and ONLY REST endpoints) so I can allow access with a JWT.
Thanks for any help.
I'm guessing the annotations are not being processed by anything at runtime. You will need to tell your JAX-RS app to process them.
I've done this with this lib in the past:
https://github.com/silb/shiro-jersey/
Specifically something like this:
https://github.com/silb/shiro-jersey/blob/master/src/main/java/org/secnod/shiro/jersey/AuthorizationFilterFeature.java
As for the second part of the problem, my only guess is Stormpath/Shiro environment is not setup correctly.
Did you put filter config in your web.xml or is all of the config loaded from the servlet fragment?
I have implemented passport-local strategy and passport-bearer strategy.
When user logins with username/password credentials, I generate JSON Web Token which returns to requester. On each request I get access_token from query, decode this token from JWT to object and make bearer authorization implemented in /api/policies. And all auth works fine.
But when I provide this access_token to RESTful route i.e. user I got empty array.
The problem, that Sails accepts access_token as criteria.
Example:
GET /user ## Forbidden
GET /user?access_token=<token> ## Empty array
How can I disable or fix it?
You would probably be better off sending your access token in a header than in the URL. But if what your asking is how to blacklist a certain property from being used as criteria in a blueprint route, it can be done in the following way in your config/routes.js file:
"GET /user": {blueprint: "find", criteria: {blacklist: ["access_token"]}}
This will override the default blacklist, so you may want to include those defaults in your custom array:
"GET /user": {
blueprint: "find",
criteria: {
blacklist: ["access_token", "limit", "skip", "sort", "populate"]
}
}