I don't understand why my User Pool will not Authenticate a method in my API.
I've started with the simple petstore example, and added an Authorizer for my user pool. The test button shows that the JWT I have is working. I applied that Authorizer to the POST method on /pets, added Authorization as a request header.
When POST to /pets with postman (or curl), passing the Authorization: Bearer <token> header I always get the response {"message":"Unauthorized"}
I've messed around with creating an Identity pool linked to the User pool, with an Authenticated role that has a policy allowing access to the API Gateway. I've created a group in the User Pool to assign this group.
There's got to be some piece I'm missing. All I want to to allow access to the POST method to any user that presents a valid ID JWT from Cognito.
The policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-east-1:*:XXX/*/POST/*"
}
]
}
Which works fine in the simulator. I'm not 100% sure the policy should even be in play though. I'm not clear on how the provided User Pool authenticator would acquire the policy, it wasn't in any docs I saw. I just started throwing darts at the wall.
Would just like to hear that anyone has secured an API Gateway endpoint with a Userpool.
For me works without "Bearer" in the Authorization's header using Postman.
Related
When using Kubernetes Admission Controllers ValidatingWebhookConfiguration, I'd like to skip the interception of internal requests such as Kubernetes Controllers.
More specifically, the only requests that I want the validation webhook to match are users' requests via the Kubctl/API, etc.
Is it possible?
According to Webhook request and response your webhook will receive an AdmissionRequest object which contains UserInfo field. In it, there are fields like Username, Groups and others that might be useful for solving your problem.
...
"userInfo": {
# Username of the authenticated user making the request to the API server
"username": "admin",
# UID of the authenticated user making the request to the API server
"uid": "014fbff9a07c",
# Group memberships of the authenticated user making the request to the API server
"groups": ["system:authenticated","my-admin-group"],
# Arbitrary extra info associated with the user making the request to the API server.
# This is populated by the API server authentication layer and should be included
# if any SubjectAccessReview checks are performed by the webhook.
"extra": {
"some-key":["some-value1", "some-value2"]
}
},
...
We have Auth0 set up with their Lock widget v11 using Implicit Flow in our SPA. We have JWT expiration set to 15 minutes in the Application settings in Auth0 admin portal and we use Silent Authentication in our web app to get a new token periodically.
That flow is working fine and the tokens expire as they should. Our issue is with the userinfo endpoint. The Auth0 Lock widget is doing XHR requests to the userinfo endpoint internally. During a security screening it was discovered that if such a request is recorded by us and then requested again in Postman several hours later the endpoint still responds with user details such as name and email. The bearer token sent in that request is not the same as the one issued with the 15 min expiration time.
This is a security issue for us since it is possible to get basic user info long after the user chose to log out.
In the Auth0 admin portal I have tried setting "Inactivity timeout"/"Require log in after" under Tenant Settings > Advanced to 1 minute. I also tried lowering "JWT expiration" under Application settings. None of these settings is affecting the userinfo request which still responds with user details.
Example of a request to the userinfo endpoint:
GET https://<tenant>.eu.auth0.com/userinfo
Request headers:
Authorization:Bearer <some token with length of 32>
Example of the response:
{
"sub": "auth0|xxxxxxxxxxxxxxxxxx",
"nickname": "John",
"name": "John Doe",
"picture": "xxxxxxxxxxxx",
"updated_at": "2019-08-29T12:32:39.352Z",
"email": "user#example.com",
"email_verified": true
}
Is there any setting that governs the expiration of the bearer token sent to userinfo? Should it not have the same expiration as the application JWT expiration setting?
Unfortunately that token expiration is set for the endpoint and cannot be changed. This doc provides an answer.
https://auth0.com/docs/tokens/guides/access-token/set-access-token-lifetime#access-token-lifetime-for-the-oidc-user-profile-endpoint
So I am testing the REST API's given by uber to implement uber service into my app, while sending a request to one of their api it sends me response massage:
{
"message": "No authentication provided.",
"code": "unauthorized"
}
while iam doing the same request as given in their doc
the request iam creating:
headers:
Authorization: Bearer <TOKEN>
Accept-Language: en_US
Content-Type: application/json
to url https://api.uber.com/v1.2/me
where iam getting wrong and what else do I need to add?
In order to be able to use any Uber API endpoint, you will need to authorize your user and get access_token. From your sample code we can see that you did not follow the instructions on Uber documentation. So to make sure you are following full authentication process like it supposes to be please find below info:
The Authorization Code flow is a two-step authorization process. The first step is having the user authorize your app and the second involves requesting an OAuth 2.0 access token from Uber. This process is mandatory if you want to take actions on behalf of a user or access their information.
The redirect URL "YOUR_REDIRECT_URI" is the URL we will redirect back to after an authorization by the resource owner. The base of the URI must match the redirect_uri used during the registration of your application. If none is provided the default is the first redirect URI provided in the application's dashboard
"YOUR_LIST_OF_SCOPES" is the list of scopes you have requested in the authorizations tab. Based what you want to achieve and what API calls you want to make - you will need the certain scope to be used in your two-step authorization process. You can use multiple scopes as comma delimited list.
Please follow the steps of the authentication guide.
Briefly, you need to:
• Send user to authorize url. It starts by redirecting the user to the authorize endpoint: https://login.uber.com/oauth/v2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_LIST_OF_SCOPES .
• Receive the redirect with an authorization code. After the user approves the scopes the user will be redirected to the redirect_uri with an auth code that you can post to the /v2/token endpoint to receive an access token.
• Make a POST call to: 'https://login.uber.com/oauth/v2/token'. This call will return access_token and refresh_token.
• After you get your access_token you can use it in the API's endpoints
We are using AWS Cognito (Federated Identities) in order to provide login via facebook and google+.
We are facing the following challenge. Our company is providing different apps, that interact with each other, so that we would like to have authenticated users to have one identity inside of one cognito identity pool. And to make use of the sync store cross apps.
For cognito you can only choose one audience (client-id/app-id) for each IdP, when using the AWS console. It would make sense for us, to associate many facebook audiences and google+ audiences with that one cognito setup.
We figured out how to setup many google+ audiences, by creating google+ as IdP via IAM. Which works perfectly fine for us.
We are struggling to figure out a way how to configure many facebook audience via IAM-IdP or any other way.
Well, facebook is no open-id-connect provider, and that seems to be the issue. But I kind of don't want to accept this.
Does one of you know how to configure multiple facebook apps to be associated with one cognito identity pool. Workaround are very welcome.
One additional information: It would be OK for us to use one global facebook app, e.g. 'OurCompany - Network', that would do the trick. The blocker for this is, that it would block us from doing facebook-campaigns with installation tracking. If you know a workaround for this, is also a welcome solution.
I did this by using multiple pools, and then allowing both pools at the role level. That means my Trust Relationships for that role look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"ForAnyValue:StringEquals": {
"cognito-identity.amazonaws.com:aud": [
"<first cognito pool>",
"<second cognito pool>"
]
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
One workaround is to use Developer Authenticated Identities. You will need to validate the Facebook token yourself in this case.
In a project I am using Authentication multiple times for different providers, so I am relying on standard libraries.
I want to establish connection with Facebook yet it provides not completely standard authorization.
To test the connection I am using REST Console in Authorization part of it I place a key and secret and for
Authorize URL I provide https://graph.facebook.com/oauth/authorize
Access token URL - https://graph.facebook.com/oauth/access_token
Request token URL I leave empty or fill it with https://graph.facebook.com/
And what I get bck looks like this:
{
"error": {
"message": "Expected 1 '.' in the input between the postcard and the payload",
"type": "OAuthException",
"code": 1
}
}
So my question is how to get authenticated forming standard OAuth calls?
EDIT
For the moment (testing stage) I found that data can be retrieved using no standard authentication but access_token with appropriate values. Yet sending http request with api key and secret exposed in the request url can not be the right way of ding it.