I am able to get the oauth_token and oauth_token_secret from linkedin authorization API's.
But, I am not sure how this can be used to generate the "oauth2_access_token" parameter for calling any linkedin API.
Using header : "Authorization : Bearer {access_token}" doesn't work and gives error.
The oauth_token and oauth_token_secret can be leveraged in OAuth 1.0a flows towards LinkedIn e.g. you can now send a user of to the LinkedIn authorization endpoint using:
https://api.linkedin.com/uas/oauth/authorize?oauth_token=" . $oauth_token
If you want to leverage OAuth 2.0 you need to follow a different path that is describe here: https://developer.linkedin.com/docs/oauth2 and you would not use oauth_token and oauth_token_secret, but rather the Consumer Key and the Consumer Secret.
Related
I have an API http gateway (at say https://example.com) integrated with an API REST gateway which uses a Cognito authorizer. All of this to serve a single-page React application. The behaviour is as expected:
I launch the Cognito hosted UI and sign in,
It redirects to the url https://example.com/#id_token=123
If I use PostMan, I can access that url if I pass that id_token in the Authorization header.
Now my question is: how can I pass the header automatically after signing in so I can visit https://example.com?
I have spent a long time on this and have found many similar posts without an answer:
How to use the code returned from Cognito to get AWS credentials?
How can I link cognito token and API authentication header automatically?
AWS Cognito hosted UI returning id_token in URL
How can I make the redirect_uri of AWS Cognito (Hosted UI) authenticated?
Set Authorization header when redirecting client from Cognito to AWS API Gateway
How do I handle a Cognito auth redirect for a Lambda / API Gateway for UI?
We faced the same question a couple of years ago. Our solution was creating a proxy (using API Gateway and Lambda) that "moved" the id_token (stored in a cookie) to the Authorization header for every request to the server. It was ugly, but it worked.
BTW, getting id_token in the URL is how Implicit Grant works. But Implicit Grant is generally considered less secure than Authorization Code Grant. We have since migrated from Implicit Grant to Authorization Code Grant. However, we continue to use the proxy pattern (again using API Gateway and Lambda) as follows.
Exchange the returned code for access_token and id_token at the Cognito user pool's token endpoint. Store the tokens in a DynamoDB table with session_cookie as the partition key. Return the session_cookie as a cookie (with HttpOnly, Secure and SameSite=Strict) to the browser.
For each request from the browser, use the cookie to find the token in the DynamoDB table and put the token in the Authorization header.
Question
I got a problem with understanding some basic thing about auth0, probably someone can help me out.
In the tutorial SPA + API one of the first lines in the TDLR is this:
Both the SPA and the API must be configured in the Auth0 Dashboard
I dont understand why I need to configure the API on Auth0. My code seems to work so can anyone help me understand if I do something wrong or what the advantages are if I actually add a custom API in my dashboard?
Setup
SPA (React)
Auth0
REST API (ktor)
What I do
Created a SPA on Auth0
Login on my SPA through Auth0 to get a JWT (google token)
Sending the JWT as authentication bearer in my calls to the REST API
REST API verifies the JWT token with a JWK provider using the Auth0 url mydomain.eu.auth0.com/.well-known/jwks.json.
Authentication seems to work
Great question, I am assuming that your authentication request includes audience parameter which represents your custom API(Rest API)right now. In oauth2 terms, it is called Resource Server. Each resource server can have many permissions which you include in the scope when initiating the authentication request. Let's step back and talk about the token format. Auth0 issues token in two formats:
Opaque strings: When not using a custom API
JSON Web Tokens (JWTs): When using a custom API
https://auth0.com/docs/tokens/reference/access-token/access-token-formats#how-does-all-this-affect-the-token-format-
As explained above link, the token format depends on the audience (Custom API) parameter. Therefore, when the authentication request includes audience, auth0 issues JWT token with all necessary permission. Then, you need to validate the JWT token in your API server before returning the resources to your front end client.
It should make sense why you need to create custom API in auth0 and define permissions. If you do not create custom API in auth0, there is no way to know what kind of permission you need in the token which will generate an error(invalid audience specified)
I am working with a Github Enterprise server. I am using Postman in an attempt to hit the API. No matter what I've tried, I get a "Sign in via LDAP" HTML page returned with a 200 status code. Not exactly what I was hoping for.
Important background:
MFA is enabled
OAuth token is a personal access token with all the scopes
I have attempted passing in the token as a URL parameter:
https://api.github.mycompany.com/repos/MyOrg/myrepo?access_token=MY_OAUTH_TOKEN
I have attempted passing in the token as an Authorization header 3 different ways:
Authorization: MY_OAUTH_TOKEN
Authorization: token MY_OAUTH_TOKEN
Authorization: Bearer MY_OAUTH_TOKEN
From what I glean from the docs, my OAuth token should be sufficient, meaning that I don't need to send any sort of MFA code. Am I wrong? What do I need to do to get real results, rather than the LDAP login page?
So I am testing the REST API's given by uber to implement uber service into my app, while sending a request to one of their api it sends me response massage:
{
"message": "No authentication provided.",
"code": "unauthorized"
}
while iam doing the same request as given in their doc
the request iam creating:
headers:
Authorization: Bearer <TOKEN>
Accept-Language: en_US
Content-Type: application/json
to url https://api.uber.com/v1.2/me
where iam getting wrong and what else do I need to add?
In order to be able to use any Uber API endpoint, you will need to authorize your user and get access_token. From your sample code we can see that you did not follow the instructions on Uber documentation. So to make sure you are following full authentication process like it supposes to be please find below info:
The Authorization Code flow is a two-step authorization process. The first step is having the user authorize your app and the second involves requesting an OAuth 2.0 access token from Uber. This process is mandatory if you want to take actions on behalf of a user or access their information.
The redirect URL "YOUR_REDIRECT_URI" is the URL we will redirect back to after an authorization by the resource owner. The base of the URI must match the redirect_uri used during the registration of your application. If none is provided the default is the first redirect URI provided in the application's dashboard
"YOUR_LIST_OF_SCOPES" is the list of scopes you have requested in the authorizations tab. Based what you want to achieve and what API calls you want to make - you will need the certain scope to be used in your two-step authorization process. You can use multiple scopes as comma delimited list.
Please follow the steps of the authentication guide.
Briefly, you need to:
• Send user to authorize url. It starts by redirecting the user to the authorize endpoint: https://login.uber.com/oauth/v2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REDIRECT_URI&scope=YOUR_LIST_OF_SCOPES .
• Receive the redirect with an authorization code. After the user approves the scopes the user will be redirected to the redirect_uri with an auth code that you can post to the /v2/token endpoint to receive an access token.
• Make a POST call to: 'https://login.uber.com/oauth/v2/token'. This call will return access_token and refresh_token.
• After you get your access_token you can use it in the API's endpoints
the app we have has two levels of authentication. First it authorizes user with a Basic token. This authentication generates bearer token (session specific). The user can use this bearer token to various transactions in the app.
Flows:
user authentication at auth.xxxx.com with Basic token
user then redirected to api.xxx.com to do various transactions - uses bearer token generated from 1
I am not understanding how I could use basic / bearer session token any tools available, I have tried it in PostMan and HP's UFT.
The situation aptly described here from a developer standpoint: How to implement two level authentication in a RESTful API?
I had to capture the passKey using Json Extractor and then use RegEx extractor to get bearer token. NO programming was required