When calling GET /api/token for login, where to put the username and password?
URL parameters or header?
I'm confused, because I read, the token should go into a header, when I request some other data later.
(I'm writing an API myself, I'm not using someone elses)
Login should be a POST request (you create a token). That way you could send the username and password in the body of the request.
POST /app/token HTTP/1.1
username=example&password=example
If credentials are correct, the request could return the token in the body.
HTTP/1.1 201 Created
Content-Type: application/json
{
"token": "example"
}
You can then store this token on the client side (for example in local storage) and send it in the header for subsequent requests.
Related
I need to get an OAuth token using a simple POST request.
In Postman, we configure OAuth tokens via the following configuration:
When I click "Get New Access Token", postman makes a request against the Access Token URL.
How does one see what that request looks like? Are these parameters (client id, client secret, etc.) placed in a POST body? What are the headers? I'd like to see the request structure in plain text.
Essentially I need to emulate this request in a script, where I have to include the credentials in the body itself, where the body would look something like this:
{
"Access_Token_URL":"myURL",
"Client_ID":"myClientId",
"Client_Secret":"myClientSecret",
"Scope":"myScope"
}
That request follows the OAuth 2.0 specification, using the client_credentials grant, and it will use an Authorization Basic header to authenticate the client; so its body will look like this:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&scope=MyScope
Where bXlDbGllbnRJZDpteUNsaWVudFNlY3JldA is the Base64-encoded value of myClientId:myClientSecret.
Note that the Content-Type is application/x-www-form-urlencoded.
Also note that what Postman calls the Access Token URL is actually named Token Endpoint in the OAuth 2.0 terminology.
URL :
https://circuitsandbox.net/rest/v2/webhooks
My Headers :
Content-Type : application/x-www-form-urlencoded
Authorization : Bearer ot-xxxxxxxxxxxx
Body :
url - Some URl
filter - CONVERSATION.CREATE
Error I am getting :
"The permission to access this resource is not granted. Scopes ::= [ALL, READ_CONVERSATIONS, READ_USER]"
Plus If i want to send extra filters thn will it be comma separated values?
If you are getting a 403, I would suspect a scope error (as mentioned by Roger) or an authentication problem.
For the first, please show us which scopes are currently selected for the application ; for authentication, can you check if you can make other API calls successfully ?
Here is what it looks like in Postman
Make sure your app registration contains the scopes that your app is asking for. For a simple outgoing webhook registration you would only need the scope READ_CONVERSATIONS.
See https://github.com/circuit/circuit-REST-bot/blob/master/app.js for an example on how to register for a webhook. This example registers for CONVERSATION.ADD, but CONVERSATION.CREATE is very similar.
If you still have problems please post a code example, or even a link to an app on repl.it.
Here is an example HTTP request to register the webhook. Note that the body is sent as text/plain (which is the default and its header can be omitted). Also note that the callback url is http. https is not yet supported.
POST https://circuitsandbox.net/rest/v2/webhooks HTTP/1.1
Host: circuitsandbox.net
Content-Type: text/plain
Authorization: Bearer <token>
url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE
and here is a curl command
curl -X POST https://circuitsandbox.net/rest/v2/webhooks -H "Authorization: Bearer <token>" -d "url=http://90587c6d.ngrok.io/webhook&filter=CONVERSATION.CREATE"
The API:
There is a public API available at https://interviewer-api.herokuapp.com/ that you can use to manage your finances in a very simple way.
The API has 2 endpoints:
/login gives you a token which you need to use in subsequent calls to the API in the Authorization header. Every call returns a new token with some initial transactions and balance.
/balance gives you your current balance along with a currency code.
So what I want to do is that I am sending a POST request for 'login' and getting a token as response. Now I want to use this TOKEN in my next request for 'Balance' as a Header.
So is there a way in SOAP UI and POSTMAN by which I can capture the response and then automatically store it as a header for the next requests so that I do not have to manually do it again and again.
You should do the following:
Execute your /login request to get the token
In the tests sections, do:
var body = JSON.parse(responseBody);
postman.setEnvironmentVariable("token", body.token);
Use the above token in /balance requests as header item:
Authorization: {{token}}
This will make sure all your request have valid token generated on run time.
Normally, /login will send the token in response header so take that response header value and store it as environment variable and use that variable for all subsequent requests.
Token as a response body is bad practice as response body should include only API business logic but your case is to authenticate so it should be a response header or a cookie(correct me if I am wrong).
In postman, if you enable the 'Interceptor' then it will take that cookie by default and use that for all subsequent requests so no need to store that cookie too as a variable.
Why Authorization header is mostly used to send a bearer token to server? Why don't we send our authorization token as URL parameter or post it as json payload with the request body?
Headers are perfect to hold these data, they are independent of request type.
You could send Authorization token in body, even everything other like Content-Type, Content-Length, cache headers also but different request types (POST,GET..) could have different request body format. GET sends data using query parameters POST/PUT in encoded form in the body (with Content-Type: application/x-www-form-urlencoded to make server aware of incomming data format), Content-Type: application/json with JSON in body, XML and others. Things get more complicated on multipart requests (check this https://stackoverflow.com/a/19712083/1017363).
So as you can see authorization token in body or query makes things more complicated on client and server side. Client should know how to "fit" authorization token on every request and server should know then how to read this value.
I have an application that can do POST and GET requests if I pass them as a String.
I'm trying to hit some Google APIs and am getting stuck trying to make the refresh_token POST request.
The format that google wants is:
POST /o/oauth2/token HTTP/1.1
Host: accounts.google.com
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&
client_secret={client_secret}&
refresh_token=1/6BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&
grant_type=refresh_token
My question is can I make this POST request as a string if the client_id, client_secret, refresh_token are URLencoded?
Like this:
https://accounts.google.com/o/oauth2/token?client_id={client_id}&client_secret={secret}&refresh_token=1%26BMfW9j53gdGImsiyUH5kU5RsR4zwI9lUVX-tqf8JXQ&grant_type=refresh_token