I'm using AWS API Gateway and it's HTTP Proxy,
I need to pass Authorization header to my endpoint through AWS API Gateway
Things I've tried:
Setting Method Request like so,
Integration Request setup
This doesn't work, my app doesn't receive the Authorization header,
Also I've tried using mapping template
{
"method": "$context.httpMethod",
"body" : $input.json('$'),
"headers": {
#foreach($param in $input.params().header.keySet())
"$param": "$util.escapeJavaScript($input.params().header.get($param))" #if($foreach.hasNext),#end
#end
},
"queryParams": {
#foreach($param in $input.params().querystring.keySet())
"$param": "$util.escapeJavaScript($input.params().querystring.get($param))" #if($foreach.hasNext),#end
#end
},
"pathParams": {
#foreach($param in $input.params().path.keySet())
"$param": "$util.escapeJavaScript($input.params().path.get($param))" #if($foreach.hasNext),#end
#end
}
}
This also doesn't work.
How can this be accomplished?
API Gateway strips the AWS SigV4 Authorization header due to security reasons. If you are using other Authorization mechanism like OAuth, the header wouldn't be stripped.
Recently I had to try using an API Gateway HTTP proxy to pass an AWS SigV4 HTTP request to an endpoint.
After testing and debugging found that the Authorization is being consumed and not passed!
So while sending the request to the API Gateway - I sent Authorization and a copy of the Authorization as another header "myauth". (I was able to do this since the request is coming from my own client.)
In the method request I added Authorization and myauth as HTTP Headers
Method Request - HTTP Headers
In the Integration Request - HTTP Headers I mapped myauth to Authorization before it was forwarded to the endpoint
Integration Request - HTTP Headers
Dont know if this is the best way to do this or if there could be any potential issues but this worked! Hope this helps someone or gives some ideas.
Related
I would like to programmatically register confidential OIDC client (the client is a backend service). I checked the keycloak document about it. And I use the “Initial access token“ approach as recommended.
After I created a "initial access token" on the UI console, I register a new client by:
POST https://my-keycloak-host/auth/realms/MyRealm/clients-registrations/default
Headers: Authorization: Bearer <initial access token>
{ "clientId": "my-client" }
The response contains a registrationAccessToken. But I expect to get a client secret. How can I get it? And what is the usage for that registrationAccessToken?
For some unknown reason Keycloak doesn't set secret properly. But you can define own secret with secret property in the payload (tested with Keycloak 16.1.1), e.g.:
{
"clientId": "my-client",
"secret": "my-secret"
}
Doc:
https://openid.net/specs/openid-connect-registration-1_0.html
https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_registration
This is related to keycloak clients. My frontend is connected to public client and backend is connected to confidential client.
I am able to login, get the code, as I am using response_type=code by turning on "Standard Flow Enabled".
This code redirects and returns me Idtoken, refreshtoken and token.
Now I need to communicate with backend which is confidential, I would like to authenticate user using some of the values which I have received from the frontend client.
How can I do that?
Here is my frontend and backend conf
FRONTEND
{
"realm": "xyz",
"auth-server-url": "http://localhost:8333/auth/",
"ssl-required": "external",
"resource": "frontend-app",
"public-client": true,
"confidential-port": 0,
"enable-cors": true
}
BACKEND
keycloak.auth-server-url=http://localhost:8333/auth
keycloak.realm=xyz
keycloak.resource=backend-app
keycloak.principal-attribute=preferred_username
keycloak.bearer-only=true
keycloak.credentials.secret=xxx-xxx-xxx
this is from realm setting
This might help somebody.
My backend service which is springboot project with spring security keycloakAuthenticationProvider does authenticate the token received from the frontend public client.
Call from frontend
axios({
method: 'GET',
url: '/api/authenticate',
headers:{'Authorization': 'Bearer '+keycloak.token+''}
}).then((r) => {
console.log("response",r)
})
Call to backend
#GetMapping("/api/authenticate")
public ResponseEntity<SecureUserDto> authenticate() {
String username = SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString();
User user = userRepository.findWithPrivilegesByUsername(username);
return ResponseEntity.ok();
}
But i still was not able to get it right on postman at ../token end point provided by keycloak server.
Anyways my work is done.
I Need API to stop the running application, after some search I've found this API
http://apidocs.cloudfoundry.org/263/apps/updating_an_app.html
if I want to test it with postman how can I obtain token and where should I put it inside postman ?
Edit
i've tried like following with postman
Put
https://[api]/v2/apps/211c82e2-7316-45b6-9ae6-1df4dzz74772/stop
Header
Authorization : bearer <token>
"Content-Type":"application/x-www-form-urlencoded"
I got error:
{
"description": "Unknown request",
"error_code": "CF-NotFound",
"code": 10000
}
Any idea?
To get the token you can run cf oauth-token from the CLI.
You can use that token in Postman by adding an 'Authorization' HTTP header.
E.g.
Authorization: bearer token_you_got_by_running_cf_oauth-token
I am trying to get all the issues with respect to a project by exposing the sentry api hosted on a private server but getting below response even after using basic auth.
{
"detail": "Authentication credentials were not provided."
}
And after generating api key, getting invalid key.
Thanks
You should add this header:
header = {'Authorization': 'Bearer TOKEN'}
to your request.
I'm working on a Spring Cloud Zuul gateway to put in front of my spring boot application.
I use basic authorization on the applications side.
When I do a call to the gateway with the proper authorization header I always get 401 Unauthorized
"status": 401,
"error": "Unauthorized",
"message": "Full authentication is required to access this resource"
But when I do the request directly towards the application it works.
Specifying sensitive-headers property without Authorization value in Zuul routes will forward the Authorization header towards the application.
By default it has hese values: Cookie,Set-Cookie,Authorization
bootstrap.yml:
zuul:
ignoredServices: '*'
routes:
application:
path: /application/**
serviceId: application
sensitive-headers: Cookie,Set-Cookie
More info:
https://github.com/spring-cloud/spring-cloud-netflix/blob/master/spring-cloud-netflix-core/src/main/java/org/springframework/cloud/netflix/zuul/filters/ZuulProperties.java#L118